Posts Tagged ‘exploit’

Tuesday, February 18, 2014 @ 02:02 PM gHale

An Internet Explorer Zero Day is a part of a new operation called SnowMan targeting U.S. military personnel.

The Zero Day exploit, which impacts IE 9 and 10, on the website of the U.S. Veterans of Foreign Wars (vfw.org), said researchers at FireEye.

RELATED STORIES
Enterprises Aware, but Remain Vulnerable
DDoS Attacks: Smarter, Faster, Severe
Stronger Voice Needed with Security Policies
Report: Security Needs Proactive Approach

The sophisticated group of cybercriminals behind this attack target high-profile organizations. They’ve previously attacked U.S. government entities, defense industrial base companies, law firms, Japanese companies, and NGOs. They’ve also targeted IT and mining companies, mostly by relying on remote access Trojans (RATs).

Microsoft confirmed the existence of the exploit. The company advises customers to update Internet Explorer to version 11 to protect themselves against such attacks.

“We believe the attack is a strategic Web compromise targeting American military personnel amid a paralyzing snowstorm at the U.S. Capitol in the days leading up to the Presidents Day holiday weekend. Based on infrastructure overlaps and tradecraft similarities, we believe the actors behind this campaign are associated with two previously identified campaigns (Operation DeputyDog and Operation Ephemeral Hydra).”

Additional technical details on the IE Zero Day exploit and the SnowMan campaign are available on FireEye’s blog.

Wednesday, October 2, 2013 @ 11:10 AM gHale

While the latest Internet Explorer Zero Day does not yet have a patch, it appears the vulnerability has been suffering exploitation for a longer time than initially believed.

Microsoft did acknowledge the existence of the vulnerability and said attackers were leveraging the holes. The software giant did issue a Fix it tool to mitigate the problems until a patch can release.

RELATED STORIES
IE Zero Day Attack Hits Japan
IE Zero Day Warning
Patch Tuesday Fixes Reissued
Microsoft Releases 13 Bulletins

Since then, FireEye researchers linked the attacks to the Chinese hacking group that hit Bit9 earlier this year, and said the campaign called “Operation DeputyDog” focused on Japanese organizations and started on August 19 at the latest.

Then, on Thursday, researchers from AlienVault and Websense released their findings regarding the exploit used.

Researcher Jaime Blasco said they spotted the exploit hosted on a subdomain of Taiwan’s Government e-Procurement System, and found users that visited the main page for the first time would instantly end up redirected to the exploit page and served with a malicious file.

Not all visitors ended up targeted as just those whose Windows XP or Windows 7 systems running in English, Chinese, French, German, Japanese, Russian, Korean, and Portuguese, and use Internet Explorer 8 or 9.

Tuesday, July 9, 2013 @ 04:07 PM gHale

Skype is a very popular tool used throughout the manufacturing automation sector, but watch out for a vulnerability in an Android application.

A vulnerability in Skype’s Android application could enable an attacker to bypass the lockscreen on some Android phones, giving them full access to the device.

RELATED STORIES
Viber Android Security Bypass
Bug in LG Android Devices
Ransomware Attacks Android Devices
Ransomware that Steals Passwords

The bug is in Skype version 3.2.0.6673 and researchers tested it on the Sony Xperia Z, Samsung Galaxy Note 2 and Huawei’s Premia 4G-all Android devices, said Pulser, a moderator at the Android forum XDA Developers.

“The Skype for Android application appears to have a bug which permits the Android inbuilt lockscreen (ie. pattern, PIN, password) to be bypassed relatively easily,” Pulser wrote in a post on the Full Disclosure mailing lists.

The exploit isn’t the easiest to execute, as it involves having access to two separate devices with two separate Skype accounts installed and running.

The hack can start off by calling the victim’s phone, which will cause it to wake, ring and display a Skype prompt on the screen. By accepting the call on the victim’s phone and ending the call on the initial caller’s phone, the lockscreen should pop up on the targeted phone.

Next, the attacker has to turn the phone off and turn it back on and the lockscreen end up bypassed. “The screen will remain bypassed until the device is rebooted,” Pulser said.

The news comes a day after the company pushed version 4.0 of its Android app and on the heels of news this week the app installed on its 100 millionth device worldwide. Skype officials were not immediately available for comment.

The flaw is similar to a vulnerability discovered earlier this spring but since patched in Viber, which like Skype, is a VoIP app that allows its users to send free calls and messages. In Viber, all an attacker had to do to gain access to the phone was send a user a message and combine a series of actions to exploit the way the app handles popup messages.

Researchers have been especially committed to digging up lockscreen bypass flaws as of late. Earlier this year, iPhone users found flaws in iOS 6.1 and the beta version of iOS 7 that could allow an attacker to bypass the screen lock on Apple’s iPhone.

Thursday, June 13, 2013 @ 04:06 PM gHale

It didn’t take long.

An iPhone user in Spain who downloaded the beta version of Apple iOS 7, which came out Monday, was able to bypass its screen-lock security feature.

The revamped mobile operating system unveiled by the Cupertino, CA, technology company last week at its annual World Wide Developers Conference in San Francisco. iOS 7 should release sometime this fall, but the beta has been available all week.

RELATED STORIES
Security Advisories for BlackBerry
Mobile Security Costs Companies
BYOD Dilemma: Risky Apps
Federal Security Guidelines Reworked

Jose Rodriguez recorded a video demonstrating an exploit in which he gains partial access to the phone without having to enter the screen-lock password.

This isn’t the first time Apple dealt with iPhone lockscreen bypass issues. In February, there was a flaw in iOS 6.1 where a user could bypass the screen-lock feature and access the device’s phone feature, view and edit contacts, check voicemail and look through photos. All a user needed to do was make an emergency call, cancel the call, and then trick the device into thinking the user turned it off by holding the lock button twice. Later that same month, researchers found a kernel-glitch in the same version of iOS that could bypass the lock-screen again.

The new operating system offers a substantial redesign with at least two security features. The first is Activation Lock, and its intent is to guard lost and stolen devices against factory resets. Apple’s iOS 5 introduced the iCloud and a feature called Find My iPhone became part of the iOS default installation. It allows users to track down the GPS location of missing devices through the iCloud and perform various functions, like locking a device, remotely wiping it, or causing it to ring and display a customized message.

Problematically, thieves often perform a factory reset on stolen devices (unless they are trying to mine the devices for data), rendering the Find My iPhone feature useless. In iOS 7 however, performing a factory reset is only possible after a user enters their Apple ID and password. The other feature is a sort of password manager called iCloud Keychain and it allows a user to store (in 256-bit AES encryption) and sync passwords and credit card numbers between their various iDevices.

Wednesday, May 29, 2013 @ 01:05 PM gHale

Patches, as mentioned countless times, should end up implemented or there could be consequences down the road.

Take Ruby on Rails as a case in point. A five-month-old security patch could secure the Web development framework now as exploit code has surfaced for CVE-2013-0156 that is in the process of building a botnet of compromised servers.

RELATED STORIES
Ruby on Rails Patches Holes
Botnet Comes Back with DGA Gusto
Botnets Attack Israeli Websites
BackDoor Botnet Taken Over

Exploit code has been publicly available since the vulnerability first came out in January on Github and Metasploit, yet the vulnerability had not suffered exploitation on a large scale until now, said security researcher Jeff Jarmoc.

“I don’t have much evidence as to what the actor may be doing with their compromised machines,” Jarmoc said.

Jarmoc said he found three command and control servers, all of which are down at the moment. The domains previously hosted Trojans and other malware targeting compromised machines.

The exploits set up an IRC chat relay bot that connects to 188[.]190[.]124[.]81 and joins a channel called #rails. The code will execute only once on an infected host.

“Functionality is limited, but includes the ability to download and execute files as commanded, as well as changing servers,” Jarmoc wrote on his blog. “There’s no authentication performed, so an enterprising individual could hijack these bots fairly easily by joining the IRC server and issuing the appropriate commands.”

A patch for the Ruby on Rails framework came out Jan. 8 and developers urged users to upgrade to versions 3.2.11, 3.1.10, 3.0.19 or 2.3.15, all of which are no longer vulnerable. The advisory issued in January said the vulnerability allows attackers to bypass authentication systems, inject SQL commands, inject and execute code or crash a Rails application.

Despite the five-month window between the patch and the availability of exploit code, a number of Rails frameworks remain unpatched. Jarmoc said some organizations may not realize they are running vulnerable installations, in spite of security advisories on the matter.

“It’s not particularly hard to update Rails, but as with any update there’s a possibility of unintended effects on applications. This alone can cause hesitation in some cases,” Jarmoc said. “There’s a small amount of downtime needed to patch, but downtime-sensitive environments can rely on load balancing, redundant servers, etc. to mitigate that.”

“Given the deployed base of Rails, even a small percentage success rate is likely to compromise a significant number of servers,” Jarmoc said.

Thursday, May 23, 2013 @ 04:05 PM gHale

Apache Darkleech JavaScript attacks have become more determined as they added a few hundred more websites, researchers said.

There has been a big increase in the number of websites falling victim to the Darkleech attack on Wednesday, with quite a few of them hosted in the UK, said security firm Zscaler.

RELATED STORIES
Exploit for Web Server Attacks
Yet Another DDoS Attack Strikes Firm
After Israel, Now U.S. Sites Hit
BackDoor Botnet Taken Over

“The Apache Darkleech attack has been in the news for quite some time now,” said Zscaler’s Krishnan Subramanian. “The first compromise that we identified in our transactions dates back to mid-March. This Darkleech exploit (aka Linux.Cdorked) injects malicious redirections into a website that leads to a Blackhole exploit kit (BEK) landing page.

“We are currently observing a considerable rise in websites being compromised due to this attack. The infected websites redirect to a version of the BEK version 2.”

Subramanian said the complex nature of the attack’s exploit method makes it difficult to know exactly how many sites have been affected, making tracking and combating the threat a difficult task.

“The exploit code targets vulnerabilities in multiple plugins including Adobe PDF and Java when run on IE, causing the attacker to load malicious code in the context of the application. When deobfuscating the PDF exploit, we can see the final URL used for redirection. However, this URL was not accessible (404 error response) at the time of writing, hence it was not possible to retrieve the malicious binary file,” Subramanian said.

“Upon revisiting some of these compromised websites, it was found that the page was no longer serving the injected code. This provides a clue. The attackers probably choose random sites running the Apache Webservers that are vulnerable to the Darkleech exploit and infect them only for a brief period of time and then clean them up. Hence tracking Darkleech infections can be a challenging task.”

The attack already infected thousands of websites when researchers first uncovered it earlier this year. Subramanian said businesses or website owners worried their site has suffered an infection should contact their Apache server host to ensure they have installed the CVE-2012-1557 security patch to fix the flaw.

Monday, May 20, 2013 @ 06:05 PM gHale

An exploit released that proves that normal, logged-in users can gain root access to the Linux kernel via an incorrectly fixed declared pointer.

It all started back in April, when Linux kernel developers fixed an incorrectly declared pointer in the Linux kernel. The problem is, in their rush to fix the issue, they apparently overlooked the potential security implications of the bug, since fact it is possible to gain access to almost any memory area using a suitable event_id.

RELATED STORIES
Stealthy Server Malware Spreading
Multistage Attack Proves Fruitful
Apache Backdoor Leads to Blackhole
Firewall Hole Found, Patched

After realizing the problem, the developers declared the bug as an official security hole (CVE-2013-2094) after the exploit released that proves that normal, logged-in users can gain root access this way.

The bug affects any kernel version between 2.6.37 and 3.8.9 compiled using the PERF_EVENTS option; apparently, this is the case with many distributions. Which exact distributions suffer from the issue will soon become clear when the relevant security updates release. Linux security expert Brad Spengler released a detailed exploit analysis.

Meanwhile, the Ubuntu Security Team closed the vulnerability with updates to Ubuntu 13.04, 12.10, 12.04 LTS and in the Hardware Enablement Kernel for Ubuntu 12.04 LTS based on the Ubuntu 12.10 kernel. The developers caution users that due to ABI changes in the kernel update, all third party modules installed with these kernels have to undergo recompiling and reinstallation. Users who use the linux-restricted-modules package will have to update this package as well, which will happen automatically on systems that include the standard kernel meta packages.

Red Hat said Red Hat Enterprise Linux (RHEL) 4 and 5 do not suffer from the problem. RHEL 6 and Red Hat Enterprise MRG 2, however, do and until the company releases updates that fix the issue, Red Hat recommends mitigating the security risks and gives instructions how to do so on a page on its customer portal web site.

The Debian developers are also working to fix the problem. At the time of writing, Debian stable (Wheezy) and testing (Jessie) are both vulnerable to the exploit, Debian unstable (Sid) is not vulnerable. The fixed kernel package is available in the security update repository for Wheezy, however, and should have an update in the main distribution repository soon.

Tuesday, March 5, 2013 @ 04:03 PM gHale

There are five vulnerabilities in Java SE 7 Update 15 which, when combined, can achieve a complete sandbox bypass.

The new flaws, identified as “issue 56” through “issue 60,” ended up found by researchers at Security Explorations while they were trying to collect new evidence to prove to Oracle “issue 54” is a security hole.

RELATED STORIES
One More Java Zero Day
Another Java Zero Day
Microsoft Victim of Attack
Developer Site Zero Day Attack Source

“Two of the issues found (59 and 60) could be potentially affecting Java SE 6 (we haven’t checked this due to Java SE 6 EOL status), but since all of the issues need to be combined together to gain a successful Java SE security compromise, we treat it as affecting Java SE 7 only,” said Adam Gowdiak, chief executive of Security Explorations.

“The attack breaks a couple of security checks introduced to Java SE by Oracle over the recent months (Issues 57 and 58). It also exploits code fragments that were missing proper security checks corresponding to the very mirror code (Issue 59 and 60). Finally, it demonstrates a difference between the JVM specification and its implementation (Issue 56).”

Gowdiak said similar to other vulnerabilities they’ve found, the Reflection API is the component that undergoes exploitation in the attack.

Oracle has the complete details of the newly-discovered flaws, along with a proof-of-concept.

Tuesday, February 26, 2013 @ 02:02 PM gHale

There is an issue in Apple’s iPhone iOS kernel that has another passcode bypass vulnerability, the second to surface this month.

With the bug, attackers could gain access to users’ photos, contacts and more by following a series of steps on an iPhone running iOS 6.1.

RELATED STORIES
Developer Site Zero Day Attack Source
Apple Working on Fix to Update
Apple Updates iOS
App on iPhone Insecure

Benjamin Kunz Mejri, founder and chief executive of Vulnerability Lab detailed the vulnerability in a post on the Full Disclosure mailing list last week.

Similar to the iPhone’s passcode vulnerability, the exploit involves manipulating the phone’s screenshot function, its emergency call function and its power button. Users can make an emergency call (911 for example) on the phone and then cancel it while toggling the power on and off to get temporary access to the phone.

A video posted by the group showed a user flipping through the phone’s voicemail list and contacts list while holding down the power button. From there an attacker could get the phone’s screen to turn black before it can connect to a computer via a USB cord. The device’s photos, contacts and more “will be available directly from the device hard drive without the pin to access,” according to the advisory.

The first half of the exploit borrows heavily from last week’s vulnerability – and the Lab notes this in the caption of the video that documents its proof of concept (“already release by other researcher”).

This is the second bypass that can occur by holding down the power button, the screenshot button and the emergency button. From there the phone can plug into a computer and an attacker can cull the information via iTunes from the phone’s hard drive with read/write access.

Apple updated iOS 6.1 to 6.1.2 earlier this week but failed to address the recent passcode bug.

 
 
Archived Entries