News: Security & Privacy News

Researchers Flag 7-Years-Old Privilege Escalation Flaw in Linux Kernel (CVE-2021-33909)

Wed, 21 Jul 2021 16:02:47 +0000

Researchers Flag 7-Years-Old Privilege Escalation Flaw in Linux Kernel (CVE-2021-33909)

A vulnerability (CVE-2021-33909) in the Linux kernel’s filesystem layer that may allow local, unprivileged attackers to gain root privileges on a vulnerable host has been unearthed by researchers.

“Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation. Other Linux distributions are likely vulnerable and probably exploitable,” said Bharat Jogi, Senior Manager, Vulnerabilities and Signatures, Qualys.

They have also flagged CVE-2021-33910, a closely related systemd vulnerability that could lead to a denial of service condition.

About the vulnerabilities (CVE-2021-33909 and CVE-2021-33910

The source of both flaws is the incorrect handling of long path names.

“The first vulnerability (CVE-2021-33909) is an attack against the Linux kernel. An unprivileged local attacker can exploit this vulnerability by creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB. A successful attack results in privilege escalation,” the Red Hat security team explained.

“The second vulnerability (CVE-2021-33910) is an attack against systemd (the system and service manager) and requires a local attacker with the ability to mount a filesystem with a long path. This attack causes systemd, the services it manages, and the entire system to crash and stop responding.”

Qualys researchers have dubbed CVE-2021-33909 “Sequoia” – “a pun on the bug’s deep directory tree that yields root privileges” – and said that all Linux kernel versions from 2014 (Linux 3.16) onwards are vulnerable.

More technical details, an analysis of the flaw, a PoC, exploitation details and mitigations are included in Qualys’s security advisory. Additional details and a PoC video are available here.

Patches are available

Qualys sent the advisories for the two flaws to Red Hat Product Security in early June, and Red Hat sent the patches they wrote to the linux-distros@openwall and the security@kernel mailing list earlier this month.

CVE-2021-33909 affects Red Hat Enterprise Linux 8, 7, and 6, and CVE-2021-33910 affects Red Hat Enterprise Linux 8.

“Further, any Red Hat product supported on Red Hat Enterprise Linux (including RHEL CoreOS) is also potentially impacted,” the company said.

They provided a vulnerability detection script customers can used to determine if their system is currently vulnerable, and advised customers running affected versions of Red Hat products to apply the available updates immediately.

The Debian Project also recommends upgrading one’s linux and systemd packages.

Source

New Windows and Linux Flaws Give Attackers Highest System Privileges

Wed, 21 Jul 2021 14:12:47 +0000

New Windows and Linux Flaws Give Attackers Highest System Privileges

Microsoft's Windows 10 and the upcoming Windows 11 versions have been found vulnerable to a new local privilege escalation vulnerability that permits users with low-level permissions access Windows system files, in turn, enabling them to unmask the operating system installation password and even decrypt private keys.

"Starting with Windows 10 build 1809, non-administrative users are granted access to SAM, SYSTEM, and SECURITY registry hive files," CERT Coordination Center (CERT/CC) said in a vulnerability note published Monday. "This can allow for local privilege escalation (LPE)."

The files in question are as follows -

c:\Windows\System32\config\sam
c:\Windows\System32\config\system
c:\Windows\System32\config\security

Microsoft, which is tracking the vulnerability under the identifier CVE-2021-36934, acknowledged the issue, but has yet to roll out a patch, or provide a timeline for when the fix will be made available.

"An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database," the Windows makers noted. "An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Successful exploitation of the flaw, however, necessitates that the attacker already has a foothold and is in possession of the ability to execute code on the victim system. In the interim, the CERT/CC is recommending that users restrict access to sam, system, and security files and delete VSS shadow copies of the system drive.

The latest disclosure also marks the third publicly disclosed unpatched bug in Windows since the release of Patch Tuesday updates on July 13. Besides CVE-2021-36934, two more weaknesses affecting the Print Spooler component have also been discovered, prompting Microsoft to urge all users to stop and disable the service to protect systems against exploitation.

Linux Distros Suffer from "Sequoia" Privilege Escalation Flaw

< View the video at the source page. >

It's not just Windows. Remediations have been released for a security shortcoming affecting all Linux kernel versions from 2014 that can be exploited by malicious users and malware already deployed on a system to gain root-level privileges.

Dubbed "Sequoia" by researchers from cybersecurity firm Qualys, the issue has been assigned the identifier CVE-2021-33909 and affects default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation. Red Hat Enterprise Linux versions 6, 7, and 8 are also affected by the vulnerability.

Specifically, the flaw concerns a size_t-to-int type conversion vulnerability in the Linux Kernel's "seq_file" file system interface, permitting an unprivileged local attacker to create, mount, and delete a deep directory structure whose total path length exceeds 1GB, resulting in privilege escalation on the vulnerable host.

Separately, Qualys also disclosed a stack exhaustion denial-of-service vulnerability in systemd (CVE-2021-33910) that could be exploited by unprivileged attackers to crash the software suite and trigger a kernel panic.

Source

Malicious NPM Package Caught Stealing Users' Saved Passwords From Browsers

Wed, 21 Jul 2021 14:05:09 +0000

Malicious NPM Package Caught Stealing Users' Saved Passwords From Browsers

A software package available from the official NPM repository has been revealed to be actually a front for a tool that's designed to steal saved passwords from the Chrome web browser.

The package in question, named "nodejs_net_server" and downloaded over 1,283 times since February 2019, was last updated seven months ago (version 1.1.2), with its corresponding repository leading to non-existent locations hosted on GitHub.

"It isn't malicious by itself, but it can be when put into the malicious use context," ReversingLabs researcher Karlo Zanki said in an analysis shared with The Hacker News. "For instance, this package uses it to perform malicious password stealing and credential exfiltration. Even though this off-the-shelf password recovery tool comes with a graphical user interface, malware authors like to use it as it can also be run from the command line."

While the first version of the package was published just to test the process of publishing an NPM package, the developer, who went by the name of "chrunlee", made revisions to implement a remote shell functionality which was improvised over several subsequent versions.

This was followed by the addition of a script that downloaded the ChromePass password-stealing tool hosted on their personal website ("hxxps://chrunlee.cn/a.exe"), only to modify it three weeks later to run TeamViewer remote access software.

Interestingly, the author also abused the configuration options of NPM packages specified in the "package.json" file, specifically the "bin" field that's used to install JavaScript executables, to deploy a legitimate package named "jstest," a cross-platform JavaScript test framework, exploiting it to launch a service via command line that's capable of receiving an array of commands, including file lookup, file upload, shell command execution, and screen and camera recording.

ReversingLabs said it reported the rogue package to NPM's security team twice, once on July 2 and again on July 15, but noted that no action has been taken to date to take it down. We have reached out to NPM for further clarification, and we'll update the story once we hear back.

If anything, the development once again exposes the gaps in relying on third-party code hosted on public package repositories as software supply chain attacks become a popular tactic for threat actors to abuse the trust in interconnected IT software to stage increasingly sophisticated security breaches.

"Growing popularity of software package repositories and their ease of use make them a perfect target," Zanki said. "When developers reuse existing libraries to implement the needed functionality faster and easier, they rarely make in-depth security assessments before including them into their project."

"This omission is a result of the overwhelming nature, and the vast quantity, of potential security issues found in third-party code. Hence in general, packages are quickly installed to validate whether they solve the problem and, if they don't, move on to the alternative. This is a dangerous practice, and it can lead to incidental installation of malicious software," Zanki added.

Source

Warning on rising cybercrime during the pandemic

Wed, 21 Jul 2021 13:35:55 +0000

Warning on rising cybercrime during the pandemic

A new study of almost 12,000 Australians has found one-third of the adult population has experienced pure cybercrime during their lifetime, with 14% reporting this disruption to network systems in the past 12 months.

With all forms of cybercrime already costing trillions every year globally, experts from the Australian Institute of Criminology (AIC) and Flinders University say the crimes involved substantial levels of personal victimization including direct losses as well as the high cost of preventing future attacks.

A pre-COVID-19 snapshot of the cost of 'pure cybercrime' in 2019 has found an approximate total economic hit of $3.5 billion—comprising $1.4 billion spent on prevention costs, $1.9 billion in money directly lost by victims and $597 million spent dealing with the consequences of victimization.

With only about $389 million recovered by victims—barely paying for the cost of dealing with the incidents—the survey estimated about 2.8 million Australians had been hit within the past year and nearly 6.7 million Australian adults could have been victims at any time in the past.

Only a small proportion of financial losses are recovered by victims.

"Pure cybercrime' activities include hacking, spreading viruses and other malware, and distributed denial-of-service attacks. While this involves crimes against machines and networks, it is estimated other forms of cyber-enabled identity crime cost Australian government agencies, individuals and businesses additional sums of more than $3bn a year.

"Pure cybercrime is a highly profitable criminal activity and results in substantial financial losses to Australians," says Flinders University Professor Russell Smith, who also warns of a potential rise in online fraud as a result of opportunities for dishonesty created by COVID-19-related economic disruptions.

"On current information, as cybercriminals become more sophisticated, it's clear the need for additional expenditure on prevention will need to increase.

"Equally, it is imperative that the financial harms associated with cybercrime are assessed so that resources for prevention and response activities can be targeted most effectively, and a baseline can be developed against which to measure the impact of future policy responses," Professor Smith says.

A 2018–2019 investigation into identity crime (Smith & Franks 2020) found a cost of $3.1 billion to Commonwealth entities, state and territory agencies (including police), individuals and businesses—most of which, but not all, was a consequence of cyber-enabled identity crime.

Cyber-enabled offenses use technology to make conventional crimes such as identity theft, fraud, stalking and harassment easier to commit and with a lower risk of detection.

"Cybercrime is a growing, borderless and continually evolving body of crimes which can threaten individuals, businesses, government and national security," says lead author in the new AIC publication," Mr Coen Teunissen.

"This study represents the first large-scale Australian study of pure cybercrime prevalence and financial harm.

"Importantly, this is a conservative estimate, as many victims were unable to report how much they had lost or how much they had spent dealing with the consequences of cybercrime. This also excludes the cost to business and government from pure cybercrime," Mr Teunissen says.

Source

Chrome now features better privacy and security without draining the battery

Tue, 20 Jul 2021 22:45:31 +0000

Chrome now features better privacy and security without draining the battery

Google Chrome 92 is rolling out later today with a number of enhancements such as Bluetooth device filtering, enhancements to PWAs, and deprecation of a payment handler configuration. Now, the company has detailed certain privacy- and security-related features that it is rolling out to Chrome today as well.

Chrome users may have noticed that some sites ask for extra permissions such as microphone and location. To allow you to keep track of what permissions a site is utilizing, you can simply click on the lock icon in the address bar which now shows an updated panel showing the permissions you have granted. You can toggle these permissions as well. Currently, this capability is only present on Android phones and tablets. Google says that future enhancements will also include the ability to delete the site from your browsing history.

Improvements are being made to Chrome Actions as well. For those unaware, this feature was introduced in Chrome 87 in November 2020, and enables users to perform actions such as deleting history or cookies right from the address bar of the browser. Today, it is getting new actions such as the ability to type "safety check" to validate the security of your passwords and scan for malicious extensions. Other actions include "manage security settings" and "manage sync".

Finally, on the security front, Google is expanding Site Isolation on Chrome. In-depth technical details can be found on the technical blog here, but in a nutshell, the capability isolates sites and extensions from each other so a malicious extension or site is not able to steal your data from another website. The feature is being expanded to cover more websites and extensions. The company has boasted that with new image processing techniques in Chrome, it has also made phishing detection 50 times faster with the process draining even lower battery than before. You can find out more details about this here.

Chrome now features better privacy and security without draining the battery

Spam Kingpin Peter Levashov Gets Time Served

Tue, 20 Jul 2021 22:43:33 +0000

Spam Kingpin Peter Levashov Gets Time Served

Peter Levashov, appearing via Zoom at his sentencing hearing today.

A federal judge in Connecticut today handed down a sentence of time served to spam kingpin Peter “Severa” Levashov, a prolific purveyor of malicious and junk email, and the creator of malware strains that infected millions of Microsoft computers globally. Levashov has been in federal custody since his extradition to the United States and guilty plea in 2018, and was facing up to 12 more years in prison. Instead, he will go free under three years of supervised release and a possible fine.

A native of St. Petersburg, Russia, the 40-year-old Levashov operated under the hacker handle “Severa.” Over the course of his 15-year cybercriminal career, Severa would emerge as a pivotal figure in the cybercrime underground, serving as the primary moderator of a spam community that spanned multiple top Russian cybercrime forums.

Severa created and then leased out to others some of the nastiest cybercrime engines in history — including the Storm worm, and the Waledac and Kelihos spam botnets. His central role in the spam forums gave Severa a prime spot to advertise the services tied to his various botnets, while allowing him to keep tabs on the activities of other spammers.

Severa rented out segments of his Waledac botnet to anyone seeking a vehicle for sending spam. For $200, vetted users could hire his botnet to blast one million emails containing malware or ads for male enhancement drugs. Junk email campaigns touting employment or “money mule” scams cost $300 per million, and phishing emails could be blasted out through Severa’s botnet for the bargain price of $500 per million.

Severa was a moderator on the Russian spam community Spamdot[.]biz. In this paid ad from 2004, Severa lists prices to rent his spam botnet.

Early in his career, Severa worked very closely with two major purveyors of spam. One was Alan Ralsky, an American spammer who was convicted in 2009 of paying Severa and other spammers to promote pump-and-dump stock scams.

The other was a major spammer who went by the nickname “Cosma,” the cybercriminal thought to be responsible for managing the Rustock botnet (so named because it was a Russian botnet frequently used to send pump-and-dump stock spam). Microsoft, which has battled to scrub botnets like Rustock off of millions of PCs, later offered a still-unclaimed $250,000 reward for information leading to the arrest and conviction of the Rustock author.

Severa ran several affiliate programs that paid cybercriminals to trick people into installing fake antivirus software. In 2011, KrebsOnSecurity dissected “SevAntivir” — Severa’s eponymous fake antivirus affiliate program — showing it was used to deploy new copies of the Kelihos spam botnet.

A screenshot of the “SevAntivir” fake antivirus or “scareware” affiliate program run by Severa.

In 2010, Microsoft — in tandem with a number of security researchers — launched a combined technical and legal sneak attack on the Waledac botnet, successfully dismantling it. The company would later do the same to the Kelihos botnet, a global spam machine which shared a great deal of code with Waledac and infected more than 110,000 Microsoft Windows PCs.

Levashov was arrested in 2017 while in Barcelona, Spain with his family. According to a lengthy April 2017 story in Wired.com, he got caught because he violated a basic security no-no: He used the same log-in credentials to both run his criminal enterprise and log into sites like iTunes.

In fighting his extradition to the United States, Levashov famously told the media, “If I go to the U.S., I will die in a year.” But a few months after his extradition, Levashov would plead guilty to four felony counts, including intentional damage to protected computers, conspiracy, wire fraud and aggravated identity theft.

At his sentencing hearing today, Levashov thanked his wife, attorney and the large number of people who wrote the court in support of his character, but otherwise declined to make a statement. His attorney read a lengthy statement explaining that Levashov got into spamming as a way to provide for his family, and that over a period of many years that business saw him supporting countless cybercrime operations.

The plea agreement Levashov approved in 2018 gave Judge Robert Chatigny broad latitude to impose a harsh prison sentence. The government argued that under U.S. federal sentencing guidelines, Levashov’s crimes deserved an “offense level” of 32, which for a first-time offender means a sentence of anywhere from 121 to 151 months (10 to 12 years).

But Judge Chatigny said he had concerns that “the total offense level does overstate the seriousness of Mr. Levashov’s crimes and his criminal culpability,” and said he believed Levashov was unlikely to offend again.

“33 months is a long time and I’m sure it was especially difficult for you considering that you were away from your wife and child and home,” Chatigny told the defendant. “I believe you have a lot to offer and hope that you will do your best to be a positive and contributing member of society.”

Mark Rasch, a former federal prosecutor with the U.S. Justice Department, the sentencing guidelines are no longer mandatory, but they do reflect the position of Congress, the U.S. Sentencing Commission, and the Administrative Office of the U.S. Courts about what seriousness of the offenses.

“One of the problems you have here is it’s hard enough to catch and prosecute and convict cybercriminals, but at the end of the day the courts often don’t take these offenses seriously,” Rasch said. “One the one hand, sentences like these do tend to diminish the deterrent effect, but also I doubt there are any hackers in St. Petersburg right now who are watching this case and going, ‘Okay, great now I can keep doing what I’m doing.'”

Judge Chatigny deferred ruling on what — if any — financial damages Levashov may have to pay as a result of the plea.

The government acknowledged that it was difficult to come to an accurate accounting of how much Levashov’s various botnets cost companies and consumers. But the plea agreement states a figure of approximately $7 million — which prosecutors say represents a mix of actual damages and ill-gotten gains.

However, the judge delayed ruling on whether to impose a fine because prosecutors had yet to supply a document to back up the defendant’s alleged profit/loss figures. The judge also ordered Levashov to submit to three years of supervised release, which includes constant monitoring of his online communications.

Spam Kingpin Peter Levashov Gets Time Served

New Windows 10 vulnerability allows anyone to get admin privileges

Tue, 20 Jul 2021 22:40:48 +0000

New Windows 10 vulnerability allows anyone to get admin privileges

Windows 10 and Windows 11 are vulnerable to a local elevation of privilege vulnerability after discovering that users with low privileges can access sensitive Registry database files.

The Windows Registry acts as the configuration repository for the Windows operating system and contains hashed passwords, user customizations, configuration options for applications, system decryption keys, and more.

The database files associated with the Windows Registry are stored under the C:\Windows\system32\config folder and are broken up into different files such as SYSTEM, SECURITY, SAM, DEFAULT, and SOFTWARE.

As these files contain sensitive information about all user accounts on a device and security tokens used by Windows features, they should be restricted from being viewed by regular users with no elevated privileges.

This is especially true for the Security Account Manager (SAM) file as it contains the hashed passwords for all users on a system, which threat actors can use to assume their identity.

SAM file can be read by anyone

Yesterday, security researcher Jonas Lykkegaard told BleepingComputer he discovered that the Windows 10 and Windows 11 Registry files associated with the Security Account Manager (SAM), and all other Registry databases, are accessible to the 'Users' group that has low privileges on a device.

These low permissions were confirmed by BleepingComputer on a fully patched Windows 10 20H2 device, as shown below.

File permissions on the SAM file

With these low file permissions, a threat actor with limited privileges on a device can extract the NTLM hashed passwords for all accounts on a device and use those hashes in pass-the-hash attacks to gain elevated privileges.

As the Registry files, such as the SAM file, are always in use by the operating system, when you attempt to access the file, you will receive an access violation as the files are open and locked by another program.

Cannot access the open SAM file

However, as the Registry files, including the SAM, are usually backed up by the Windows shadow volume copies, Lykkegaard says you can access the files through shadow volumes without an access violation.

For example, threat actors can use the following Win32 device namespace path for shadow volume copies below to access the SAM file by any user on the computer.

\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM

Using these low and incorrect file permissions, along with shadow volume copies of the files, Security researcher and Mimikatz creator Benjamin Delpy has told BleepingComputer that you could easily steal an elevated account's NTLM hashed password to gain higher privileges.

This attack is demonstrated in the video below created by Delpy and shared with BleepingComputer that shows Mimikatz using an NTLM hash to gain debug privileges.

In addition to stealing NTLM hashes and elevating privileges, Delpy told BleepingComputer that this low privileged access could allow for further attacks, such as Silver Ticket attacks.

It is unclear why Microsoft changed the permissions on the Registry to allow regular users to read the files.

However, Will Dormann, a vulnerability analyst for CERT/CC, and SANS author Jeff McJunkin, said Microsoft introduced the permission changes in Windows 10 1809.

Strangely, Dormann stated that when installing a fresh version of Windows 10 20H2 from June, the loose permissions were not present.

Therefore, it is not clear if Microsoft fixed the permission issue when performing a clean installation of Windows but did not fix it when upgrading to new versions.

BleepingComputer has reached out to Microsoft for more information but has not heard back at this time.

New Windows 10 vulnerability allows anyone to get admin privileges

Two-for-Tuesday vulnerabilities send Windows and Linux users scrambling

Tue, 20 Jul 2021 22:37:05 +0000

Two-for-Tuesday vulnerabilities send Windows and Linux users scrambling

Both OSes have flaws that allow attackers with a toehold to elevate access.

The world woke up on Tuesday to two new vulnerabilities—one in Windows and the other in Linux—that allow hackers with a toehold in a vulnerable system to bypass OS security restrictions and access sensitive resources.

As operating systems and applications become harder to hack, successful attacks typically require two or more vulnerabilities. One vulnerability allows the attacker access to low-privileged OS resources, where code can be executed or sensitive data can be read. A second vulnerability elevates that code execution or file access to OS resources reserved for password storage or other sensitive operations. The value of so-called local privilege escalation vulnerabilities, accordingly, has increased in recent years.

Breaking Windows

The Windows vulnerability came to light by accident on Monday when a researcher observed what he believed was a coding regression in a beta version of the upcoming Windows 11. The researcher found that the contents of the security account manager—the database that stores user accounts and security descriptors for users on the local computer—could be read by users with limited system privileges.

That made it possible to extract cryptographically protected password data, discover the password used to install Windows, obtain the computer keys for the Windows data protection API—which can be used to decrypt private encryption keys—and create an account on the vulnerable machine. The result is that the local user can elevate privileges all the way to System, the highest level in Windows.

“I don’t know the full extent of the issue yet, but it’s too many to not be a problem I think,” researcher Jonas Lykkegaard noted. “Just so nobody is in doubt what this means, it’s EOP to SYSTEM for even sandboxed apps.”

People responding to Lykkegaard pointed out that the behavior wasn’t a regression introduced in Windows 11. Instead, the same vulnerability was present in the latest version of Windows 10. The US Computer Emergency Readiness Team said that the vulnerability is present when the Volume Shadow Copy Service—the Windows feature that allows the OS or applications to take "point-in-time snapshots" of an entire disk without locking the filesystem—is turned on.

The advisory explained:

If a VSS shadow copy of the system drive is available, a non-privileged user may leverage access to these files to achieve a number of impacts, including but not limited to:

Extract and leverage account password hashes

Discover the original Windows installation password

Obtain DPAPI computer keys, which can be used to decrypt all computer private keys

Obtain a computer machine account, which can be used in a silver ticket attack

Note that VSS shadow copies may not be available in some configurations; however, simply having a system drive that is larger than 128GB in size and then performing a Windows Update or installing an MSI will ensure that a VSS shadow copy will be automatically created. To check if a system has VSS shadow copies available, run the following command from a privileged command prompt:
vssadmin list shadows

Researcher Benjamin Delpy showed how the vulnerability can be exploited to obtain password hashes of other sensitive data:

Currently, there is no patch available. Microsoft representatives did not immediately have a comment on the report.

Et tu, Linux kernel?

Most versions of Linux, meanwhile, are in the process of distributing a fix for a vulnerability disclosed on Tuesday. CVE-2021-33909, as the security flaw is tracked, allows an untrusted user to gain unfettered system rights by creating, mounting, and deleting a deep directory structure with a total path length that exceeds 1GB and then opening and reading the /proc/self/mountinfo file.

“We successfully exploited this uncontrolled out-of-bounds write and obtained full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation,” researchers from Qualys, the security firm that discovered the vulnerability and created proof-of-concept code that exploits it, wrote. “Other Linux distributions are certainly vulnerable, and probably exploitable.”

The exploit Qualys described comes with significant overhead, specifically roughly 1 million nested directories. The attack also requires about 5GB of memory and 1 million inodes. Despite the hurdles, a Qualys representative described the PoC as “extremely reliable” and said it takes about three minutes to complete.

Here’s an overview of the exploit:

1/ We mkdir() a deep directory structure (roughly 1M nested directories) whose total path length exceeds 1GB, we bind-mount it in an unprivileged user namespace, and rmdir() it.

2/ We create a thread that vmalloc()ates a small eBPF program (via BPF_PROG_LOAD), and we block this thread (via userfaultfd or FUSE) after our eBPF program has been validated by the kernel eBPF verifier but before it is JIT-compiled by the kernel.

3/ We open() /proc/self/mountinfo in our unprivileged user namespace and start read()ing the long path of our bind-mounted directory, thereby writing the string "//deleted" to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated buffer.

4/ We arrange for this "//deleted" string to overwrite an instruction of our validated eBPF program (and therefore nullify the security checks of the kernel eBPF verifier) and transform this uncontrolled out-of-bounds write into an information disclosure and into a limited but controlled out-of-bounds write.

5/ We transform this limited out-of-bounds write into an arbitrary read and write of kernel memory by reusing Manfred Paul's beautiful btf and map_push_elem techniques from:

https://www.thezdi.com/blog/2020/4/8/cve-2020-8835-linux-kernel-privilege-escalation-via-improper-ebpf-program-verification

Qualys has a separate writeup here.

People running Linux should check with the distributor to determine if patches are available to fix the vulnerability. Windows users should await advice from Microsoft and outside security experts.

Two-for-Tuesday vulnerabilities send Windows and Linux users scrambling

16-Year-Old Security Bug Affects Millions of HP, Samsung, Xerox Printers

Tue, 20 Jul 2021 14:23:31 +0000

16-Year-Old Security Bug Affects Millions of HP, Samsung, Xerox Printers

Details have emerged about a high severity security vulnerability affecting a software driver used in HP, Xerox, and Samsung printers that has remained undetected since 2005.

Tracked as CVE-2021-3438 (CVSS score: 8.8), the issue concerns a buffer overflow in a print driver installer package named "SSPORT.SYS" that can enable remote privilege and arbitrary code execution. Hundreds of millions of printers have been released worldwide to date with the vulnerable driver in question.

However, there is no evidence that the flaw was abused in real-world attacks.

"A potential buffer overflow in the software drivers for certain HP LaserJet products and Samsung product printers could lead to an escalation of privilege," according to an advisory published in May.

The issue was reported to HP by threat intelligence researchers from SentinelLabs on February 18, 2021, following which remedies have been published for the affected printers as of May 19, 2021.

Specifically, the issue hinges on the fact that the printer driver doesn't sanitize the size of the user input, potentially allowing an unprivileged user to escalate privileges and run malicious code in kernel mode on systems that have the buggy driver installed. now

"The vulnerable function inside the driver accepts data sent from User Mode via IOCTL (Input/Output Control) without validating the size parameter," SentinelOne researcher Asaf Amir said in a report shared with The Hacker News. "This function copies a string from the user input using 'strncpy' with a size parameter that is controlled by the user. Essentially, this allows attackers to overrun the buffer used by the driver."

Interestingly, it appears that HP copied the driver's functionality from a near-identical Windows driver sample published by Microsoft, although the sample project in itself doesn't contain the vulnerability.

This is not the first time security flaws have been discovered in old software drivers. Earlier this May, SentinelOne revealed details about multiple critical privilege escalation vulnerabilities in Dell's firmware update driver named "dbutil_2_3.sys" that went undisclosed for more than 12 years.

Source

This New Malware Hides Itself Among Windows Defender Exclusions to Evade Detection

Tue, 20 Jul 2021 14:20:13 +0000

This New Malware Hides Itself Among Windows Defender Exclusions to Evade Detection

Cybersecurity researchers on Tuesday lifted the lid on a previously undocumented malware strain dubbed "MosaicLoader" that singles out individuals searching for cracked software as part of a global campaign.

"The attackers behind MosaicLoader created a piece of malware that can deliver any payload on the system, making it potentially profitable as a delivery service," Bitdefender researchers said in a report shared with The Hacker News. "The malware arrives on target systems by posing as cracked installers. It downloads a malware sprayer that obtains a list of URLs from the C2 server and downloads the payloads from the received links."

The malware has been so named because of its sophisticated internal structure that's orchestrated to prevent reverse-engineering and evade analysis.

Attacks involving MosaicLoader rely on a well-established tactic for malware delivery called search engine optimization (SEO) poisoning, wherein cybercriminals purchase ad slots in search engine results to boost their malicious links as top results when users search for terms related to pirated software.

Upon a successful infection, the initial Delphi-based dropper — which masquerades as a software installer — acts as an entry point to fetch next-stage payloads from a remote server and also add local exclusions in Windows Defender for the two downloaded executables in an attempt to thwart antivirus scanning.

It's worth pointing out that such Windows Defender exclusions can be found in the registry keys listed below:

File and folder exclusions - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths

File type exclusions - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions

Process exclusions - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes

One of the binaries, "appsetup.exe," is conceived to achieve persistence on the system, whereas the second executable, "prun.exe," functions as a downloader for a sprayer module that can retrieve and deploy a variety of threats from a list of URLs, ranging from cookie stealers to cryptocurrency miners, and even more advanced implants like Glupteba.

"prun.exe" is also notable for its barrage of obfuscation and anti-reverse techniques that involve separating code chunks with random filler bytes, with the execution flow designed to "jump over these parts and only execute the small, meaningful chunks."

Given MosaicLoader's wide-ranging capabilities, compromised systems can be co-opted into a botnet that the threat actor can then exploit to propagate multiple and evolving sets of sophisticated malware, including both publicly available and customized malware, to obtain, expand, and maintain unauthorized access to victim computers and networks.

"The best way to defend against MosaicLoader is to avoid downloading cracked software from any source," the researchers said. "Besides being against the law, cybercriminals look to target and exploit users searching for illegal software," adding it's essential to "check the source domain of every download to make sure that the files are legitimate."

Source

U.S. and key allies accuse China of Microsoft Exchange cyberattacks

Mon, 19 Jul 2021 13:45:20 +0000

U.S. and key allies accuse China of Microsoft Exchange cyberattacks

The U.S., NATO and other allies are collectively calling out China for malicious cyberattacks, including a March attack that exploited a flaw in Microsoft's Exchange Server.

Why it matters: It's the first time that NATO, a military alliance founded in 1949 to confront the Soviet Union, has signed onto a formal condemnation of China's cyber activities.

Zoom in: Authorities are detailing more than 50 different techniques that Chinese state-sponsored actors used, and offering up recommended mitigations that businesses and organizations can take.

The U.S. says that China's Ministry of State Security is using contract hackers to conduct the attacks, many of which are being done for profit, including via ransomware.

The U.S., NATO, European Union, U.K., Australia, Canada, New Zealand and Japan say they can now, "with high confidence," attribute the March attack using the Exchange flaw to cyberattackers affiliated with China's state security ministry. That attack crippled thousands of computers around the world.

As part of Monday's announcement, the Justice Department unveiled criminal charges against four Ministry of State Security hackers for a "multiyear campaign targeting foreign governments and entities in key sectors, including maritime, aviation, defense, education, and healthcare in a least a dozen countries."

Between the lines: There are a number of countries that have been blamed for past cyberattacks, including China, Iran, Russia and North Korea.

The U.S. says Russian government hackers have been known to sometimes also "moonlight" in for-profit attacks, but in this case it was the Chinese military working directly with the attackers.

What's next: The U.S. says it has raised the concerns with Chinese authorities and said it hasn't ruled out a further response, but also cautioned that no one action is likely to deter China.

Rather, the administration is pointing to a number of recent steps taken on cybersecurity including executive orders, work with the EU and G7 and new rules for pipeline and other critical infrastructure providers.

The big picture: NATO leaders last month took their strongest position yet on the threat from China, releasing a communique that characterized Beijing's growing influence, military prowess and assertive behavior as "systemic challenges to the rules-based international order."

Source

Researchers Warn of Linux Cryptojacking Attackers Operating from Romania

Mon, 19 Jul 2021 13:33:25 +0000

Researchers Warn of Linux Cryptojacking Attackers Operating from Romania

A threat group likely based in Romania and active since at least 2020 has been behind an active cryptojacking campaign targeting Linux-based machines with a previously undocumented SSH brute-forcer written in Golang.

Dubbed "Diicot brute," the password cracking tool is alleged to be distributed via a software-as-a-service model, with each threat actor furnishing their own unique API keys to facilitate the intrusions, Bitdefender researchers said in a report published last week.

While the goal of the campaign is to deploy Monero mining malware by remotely compromising the devices via brute-force attacks, the researchers connected the gang to at least two DDoS botnets, including a Demonbot variant called chernobyl and a Perl IRC bot, with the XMRig mining payload hosted on a domain named mexalz[.]us since February 2021.

The Romanian cybersecurity technology company said it began its investigation into the group's cyber activities in May 2021, leading to the subsequent discovery of the adversary's attack infrastructure and toolkit.

The group is also known for relying on a bag of obfuscation tricks that enable them to slip under the radar. To that end, the Bash scripts are compiled with a shell script compiler (shc), and the attack chain has been found to leverage Discord to report the information back to a channel under their control, a technique that has become increasingly common among malicious actors for command-and-control communications and evade security.

Using Discord as a data exfiltration platform also absolves the need for threat actors to host their own command-and-control server, not to mention enabling support for creating communities centered around buying and selling malware source code and services.

"Hackers going after weak SSH credentials is not uncommon," the researchers said. "Among the biggest problems in security are default user names and passwords, or weak credentials hackers can overcome easily with brute force. The tricky part is not necessarily brute-forcing those credentials but doing it in a way that lets attackers go undetected."

Source

50,000 phone numbers worldwide on list linked to Israeli spyware: reports

Mon, 19 Jul 2021 13:22:42 +0000

50,000 phone numbers worldwide on list linked to Israeli spyware: reports

An Israeli firm accused of supplying spyware to governments has been linked to a list of tens of thousands of smartphone numbers, including those of activists, journalists, business executives and politicians around the world, according to reports.

The NSO Group and its Pegasus malware—capable of switching on a phone's camera or microphone, and harvesting its data—have been in the headlines since 2016, when researchers accused it of helping spy on a dissident in the United Arab Emirates.

Sunday's revelations—part of a collaborative investigation by The Washington Post, The Guardian, Le Monde and other media outlets—raise privacy concerns and reveal the far-reaching extent to which the private firm's software could be misused.

The leak consists of more than 50,000 smartphone numbers believed to have been identified as connected to people of interest by NSO clients since 2016, the news organizations said, although it was unclear how many devices were actually targeted or surveilled.

NSO has denied any wrongdoing, labelling the allegations "false."

On the list were 15,000 numbers in Mexico—among them reportedly a number linked to a murdered reporter—and 300 in India, including politicians and prominent journalists.

Earlier this week, the Indian government—which in 2019 denied using the malware to spy on its citizens, following a lawsuit—reiterated that "allegations regarding government surveillance on specific people has no concrete basis or truth associated with it whatsoever."

The Post said a forensic analysis of 37 of the smartphones on the list showed there had been "attempted and successful" hacks of the devices, including those of two women close to Saudi journalist Jamal Khashoggi, who was murdered in 2018 by a Saudi hit squad.

the numbers on the list are those of journalists for Agence France-Presse, The Wall Street Journal, CNN, The New York Times, Al Jazeera, El Pais, the Associated Press, Le Monde, Bloomberg, The Economist, and Reuters, The Guardian said.

use of the Pegasus software to hack the phones of Al Jazeera reporters and a Moroccan journalist has been reported previously by Citizen Lab, a research center at the University of Toronto, and Amnesty International.

Stories, a Paris-based journalism nonprofit, and Amnesty originally shared the leak with the newspapers.

Pocket spy

The Post said the numbers on the list were unattributed, but other media outlets participating in the project were able to identify more than 1,000 people in more than 50 countries.

included several members of Arab royal families, at least 65 business executives, 85 human rights activists, 189 journalists and more than 600 politicians and government officials—including heads of state, prime ministers and cabinet ministers.

numbers on the list were clustered in 10 countries: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates.

is a highly invasive tool that can switch on a target's phone camera and microphone, as well as access data on the device, effectively turning a phone into a pocket spy. In some cases, it can be installed without the need to trick a user into initiating a download.

NSO issued a denial on Sunday that focused on the report by Forbidden Stories, calling it "full of wrong assumptions and uncorroborated theories," and threatening a defamation lawsuit.

"We firmly deny the false allegations made in their report," NSO said.

It said it was "not associated in any way" with the Khashoggi murder, adding that it sells "solely to law enforcement and intelligence agencies of vetted governments".

Roughly three dozen journalists at Qatar's Al-Jazeera network had their phones targeted by Pegasus malware, Citizen Lab reported in December, while Amnesty said in June the software was used by Moroccan authorities on the cellphone of Omar Radi, a journalist convicted over a social media post.

Founded in 2010 by Israelis Shalev Hulio and Omri Lavie, NSO Group is based in the Israeli hi-tech hub of Herzliya, near Tel Aviv.

Source

WhatsApp is now offering encrypted cloud backups, here's how you can enable it

Sat, 17 Jul 2021 22:06:46 +0000

WhatsApp is now offering encrypted cloud backups, here's how you can enable it

WhatsApp has finally added an option to allow users to encrypt their cloud backups. The feature first showed up back in March 2020 and is finally making its way to the users.

WhatsApp has offered end-to-end encryption for chats, but the company has been clear that the encryption does not extend to cloud backups stored on Google Drive. However, with the new feature, Android users will be able to set a password before uploading the backups on Google Drive. As WhatsApp notes, encrypting the backups will mean that users will need to enter the password when restoring a backup. The company further notes that it will not be able to help in case someone forgets the password as it is not shared with WhatsApp or Google. If you want extra security, then you can choose the "Use 64-digit Encryption key instead" option which will generate a random encryption key. Do make sure to take a backup of the key as WhatsApp will ask when you restore a backup and the company can't help you recover the key if you lose it.

To use the feature, you will need to follow the steps below:

Open WhatsApp and tap on the three dots on the top right corner. Now, navigate to Settings > Chats > Chat backup
Now select "Encrypt your Backups" under the 'Google Drive settings' section
Tap on "Continue" and then tap on "Create Password"

Now enter a password and tap on "Next". Do note that here you can tap on "Use 64-digit Encryption key instead" option if you want to use an encryption key instead of a password.
Re-enter the password and tap on "Confirm" to enable encryption

Currently, the feature is only available on version 2.21.15.5 of WhatsApp for Android Beta. However, we do expect the company to roll it out to all the users in the coming months. Unfortunately, there is no word on encryption backup support for iOS users.

WhatsApp is now offering encrypted cloud backups, here's how you can enable it

Google is working on a new Privacy Review feature in Chrome

Sat, 17 Jul 2021 22:04:27 +0000

Google is working on a new Privacy Review feature in Chrome

Google has added a new feature to their Settings in their Chrome browser.

The new Privacy and Security review feature, when working, will help users “review their most important privacy and security controls in one place“.

The feature can be enabled using the “Privacy Review” flag in chrome://flags but is currently non-functional, delivering only a dummy experience.

The setting is somewhat ironic given Google’s plans with FLoC to turn Chrome into an engine to spy on users and share their findings with advertisers and random websites, but fortunately for now those plans are on hold.

via Techdows

Google is working on a new Privacy Review feature in Chrome

HelloKitty ransomware is targeting vulnerable SonicWall devices

Sat, 17 Jul 2021 22:01:09 +0000

HelloKitty ransomware is targeting vulnerable SonicWall devices

CISA warns of threat actors targeting "a known, previously patched, vulnerability" found in SonicWall Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products with end-of-life firmware.

As the US federal agency also adds, the attackers can exploit this security vulnerability as part of a targeted ransomware attack.

This alert comes after SonicWall issued an "urgent security notice" and sent emails to warn customers of the "imminent risk of a targeted ransomware attack."

Even though the company said the risk of ransomware attacks is imminent, Coveware CEO Bill Siegel confirmed CISA's warning saying that the campaign is ongoing.

CISA urges users and administrators to review the SonicWall security notice and upgrade their devices to the latest firmware or immediately disconnect all end-of-life appliances.

HelloKitty ransomware: one of the groups behind these attacks

While CISA and SonicWall did not reveal the identity of the threat attackers behind these attacks, BleepingComputer was told by a source in the cybersecurity industry that HelloKitty has been exploiting the vulnerability for the past few weeks.

Cybersecurity firm CrowdStrike also confirmed to BleepingComputer that the ongoing attacks are attributed to multiple threat actors, including HelloKitty.

HelloKity is a human-operated ransomware operation active since November 2020, mostly known for encrypting the systems of CD Projekt Red and claiming to have stolen Cyberpunk 2077, Witcher 3, Gwent, and other games' source code.

Even though the bug abused to compromise unpatched and EOL SMA and SRA products was not disclosed in CISA's warning or SonicWall's notice, CrowdStrike security researcher Heather Smith told BleepingComputer yesterday that the targeted vulnerability is tracked as CVE-2019-7481.

"This exploitation targets a long-known vulnerability that was patched in newer versions of firmware released in early 2021," SonicWall said in an emailed statement.

However, CrowdStrike's Heather Smith and Hanno Heinrichs said in a report published last month that "CrowdStrike Services incident response teams identified eCrime actors leveraging an older SonicWall VPN vulnerability, CVE-2019-7481, that affects Secure Remote Access (SRA) 4600 devices."

SonicWall credited the two security with reporting the actively exploited security flaw in a security advisory issued yesterday.

According to a Coveware report, Babuk ransomware is also targeting SonicWall VPNs likely vulnerable to CVE-2020-5135 exploits. This vulnerability was patched in October 2020 but it is still "heavily abused by ransomware groups today" per Coveware.

Ransomware vs. SonicWall devices

A threat group tracked by Mandiant as UNC2447 has also exploited the CVE-2021-20016 zero-day bug in SonicWall SMA 100 Series VPN appliances to deploy a new ransomware strain known as FiveHands (a DeathRansom variant just as HelloKitty).

Their attacks targeted multiple North American and European targets before SonicWall released patches in late February 2021.

The same zero-day was also abused in January in attacks targeting SonicWall's internal systems and later indiscriminately exploited in the wild.

Mandiant threat analysts discovered three other zero-day vulnerabilities in SonicWall's on-premises and hosted Email Security (ES) products in March.

These three zero-days were also actively exploited by a group Mandiant tracks as UNC2682 to backdoor systems using BEHINDER web shells, allowing them to move laterally through victims' networks and access emails and files.

"The adversary leveraged these vulnerabilities, with intimate knowledge of the SonicWall application, to install a backdoor, access files and emails, and move laterally into the victim organization's network," the Mandiant researchers said at the time.

HelloKitty ransomware is targeting vulnerable SonicWall devices

China's New Law Requires Researchers to Report All Zero-Day Bugs to Government

Sat, 17 Jul 2021 16:50:19 +0000

China's New Law Requires Researchers to Report All Zero-Day Bugs to Government

The Cyberspace Administration of China (CAC) has issued new stricter vulnerability disclosures regulations that mandate security researchers uncovering critical flaws in computer systems to mandatorily disclose them first-hand to the government authorities within two days of filing a report.

The "Regulations on the Management of Network Product Security Vulnerability" are expected to go into effect starting September 1, 2021, and aim to standardize the discovery, reporting, repair, and release of security vulnerabilities and prevent security risks.

"No organization or individual may take advantage of network product security vulnerabilities to engage in activities that endanger network security, and shall not illegally collect, sell or publish information on network product security vulnerabilities," Article 4 of the regulation states.

In addition to banning sales of previously unknown security weaknesses, the new rules also forbid vulnerabilities from being disclosed to "overseas organizations or individuals" other than the products' manufacturers, while noting that the public disclosures should be simultaneously accompanied by the release of repairs or preventive measures.

"It is not allowed to deliberately exaggerate the harm and risk of network product security vulnerabilities, and shall not use network product security vulnerability information to carry out malicious speculation or fraud, extortion and other illegal and criminal activities," Article 9 (3) of the regulation reads.

Furthermore, it also prohibits the publication of programs and tools to exploit vulnerabilities and put networks at a security risk.

Source

CloudFlare CDNJS Bug Could Have Led to Widespread Supply-Chain Attacks

Sat, 17 Jul 2021 16:46:25 +0000

CloudFlare CDNJS Bug Could Have Led to Widespread Supply-Chain Attacks

Web infrastructure and website security company Cloudflare last month fixed a critical vulnerability in its CDNJS library that's used by 12.7% of all websites on the internet.

CDNJS is a free and open-source content delivery network (CDN) that serves about 4,041 JavaScript and CSS libraries, making it the second most popular CDN for JavaScript after Google Hosted Libraries.

The weakness concerned an issue in the CDNJS library update server that could potentially allow an attacker to execute arbitrary commands, leading to a complete compromise.

The vulnerability was discovered and reported by security researcher RyotaK on April 6, 2021. There is no evidence of in-the-wild attacks abusing this flaw.

Specifically, the vulnerability works by publishing packages to Cloudflare's CDNJS using GitHub and npm, using it to trigger a path traversal vulnerability, and ultimately trick the server into executing arbitrary code, thus achieving remote code execution.

It's worth noting that the CDNJS infrastructure includes features to automate library updates by periodically running scripts on the server to download relevant files from the respective user-managed Git repository or npm package registry.

By uncovering an issue with how the mechanism sanitizes package paths, RyotaK found that "arbitrary code can be executed after performing path traversal from the .tgz file published to npm and overwriting the script that is executed regularly on the server."

In other words, the goal of the attack is to publish a new version of a specially-crafted package to the repository, which is then picked up the CDNJS library update server for publishing, in the process copying the contents of the malicious package into a regularly executed script file hosted on the server, thereby gaining arbitrary code execution.

"While this vulnerability could be exploited without any special skills, it could impact many websites," RyotaK said. "Given that there are many vulnerabilities in the supply chain, which are easy to exploit but have a large impact, I feel that it's very scary."

This is not the first time the security researcher has uncovered critical flaws in the way updates to software repositories are handled. In April 2021, RyotaK disclosed a critical vulnerability in the official Homebrew Cask repository could have been exploited by an attacker to execute arbitrary code on users' machines.

Source

US govt offers $10 million reward for tips on nation-state hackers

Fri, 16 Jul 2021 23:40:38 +0000

US govt offers $10 million reward for tips on nation-state hackers

The United States government has taken two more active measures to fight and defend against malicious cyber activities affecting the country’s business and critical infrastructure sectors.

One initiative is a website with resources from across the federal government designed to help businesses and communities from ransomware attacks.

The other is offering a reward of up to $10 million for information on operations conducted by actors working for a foreign government.

Tackling the ransomware threat

Earlier this week, the U.S. Government launched the StopRansomware.gov website specifically to help private and public entities mitigate the ransomware threat.

It is meant as a central platform for information about ransomware gathered from all federal government agencies, which includes the guidance, the latest alerts, updates, and resources.

“StopRansomware.gov includes resources and content from DHS’s Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Secret Service, the Department of Justice’s Federal Bureau of Investigation (FBI), the Department of Commerce’s National Institute of Standards and Technology (NIST), and the Departments of the Treasury and Health and Human Services” - U.S. Department of Homeland Security

The ransomware threat has grown to unprecedent levels lately, with attacks on critical infrastructure and businesses that rippled to the regular individual.

Cyberattacks like those on giant JBS Foods, the largest meat producer in the world, on Colonial Pipeline - the main fuel supply line for the U.S. East Coast, or the more recent one on Kaseya, which affected up to 1,500 businesses worldwide, highlighted even more the effort necessary to tackle it.

Tracking nation-state hackers

On Thursday, the U.S. Department of State announced that its Rewards for Justice (RFJ) program now incentivize reports of foreign malicious activity against U.S. critical infrastructure.

The reward is up to $10 million and it is intended for details that can help identify and locate any person that acts on behalf of a foreign government in malicious cyber operations.

The actions may include extortion as part of a ransomware attack, stealing information from protected systems, “and knowingly causing the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causing damage without authorization to a protected computer.”

“Protected computers include not only U.S. government and financial institution computer systems, but also those used in or affecting interstate or foreign commerce or communication” - U.S. Department of State

The payment may be enough to encourge hackers involved in attacks affecting critical infrastructure in the U.S. to turn on each other and get a legal, stress-free payout.

To receive the information in a secure fashion and to protect the safety of potential sources, the Department of State set up a tips-reporting service on the dark web:

http://he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion [access through Tor browser]

For this purpose, RFJ is using the SecureDrop platform that is typically used by journalists for secure communication with their sources and to protect their identity by using random codes instead of usernames.

Additionally, payments through the RFJ program may also be in cryptocurrency, which can help tipsters maintain their anonymity and receive the reward.

The RFJ program started in 1984 and has paid more than $200 million to over 100 individuals offering information that helped in the fight against terrorism (prevent terrorist acts, bring terrorists to justice) and deal with threats against the U.S. national security.

US govt offers $10 million reward for tips on nation-state hackers

D-Link issues hotfix for hard-coded password router vulnerabilities

Fri, 16 Jul 2021 23:38:31 +0000

D-Link issues hotfix for hard-coded password router vulnerabilities

D-Link has issued a firmware hotfix to address multiple vulnerabilities in the DIR-3040 AC3000-based wireless internet router.

Following successful exploitation, they can let attackers execute arbitrary code on unpatched routers, gain access to sensitive information or crash the routers after triggering a denial of service state.

The DIR-3040 security flaws discovered and reported by Cisco Talos security researcher Dave McDaniel include hardcoded passwords, command injection, and information disclosure bugs.

Authentication bypass via specially crafted requests

The CVE-2021-21818 and CVE-2021-21820 hard-coded password and credentials vulnerabilities [1, 2] exist in the router's Zebra IP Routing Manager and the Libcli Test Environment functionality.

Both of them allow threat actors targeting vulnerable D-Link DIR-3040 routers to bypass the authentication process configured by the software administrator.

Attackers can trigger them by sending a sequence of specially crafted network requests that lead either to denial of service and code execution on the targeted router, respectively.

CVE-2021-21819, a critical OS command injection vulnerability found in the router's Libcli Test Environment functionality, can also be abused by adversaries for code execution.

Additionally, it makes it possible to start a "hidden telnet service can be started without authentication by visiting https:///start_telnet" and log into the Libcli test environment using a default password stored in unencrypted form on the router.

Vulnerabilities addressed in firmware hotfix

D-Link has resolved the bugs found in firmware version 1.13B03 and has issued a firmware hotfix for all affected customers on July 15, 2021, available for download here.

The complete list of vulnerabilities addressed by D-Link with these hotfix includes:

CVE-2021-21816 - Syslog information disclosure vulnerability
CVE-2021-21817 - Zebra IP Routing Manager information disclosure vulnerability
CVE-2021-21818 - Zebra IP Routing Manager hard-coded password vulnerability
CVE-2021-21819 - Libcli command injection vulnerability
CVE-2021-21820 - Libcli Test Environment hard-coded password vulnerability

D-Link says that the firmware hotfix released to address the bugs found by Cisco Talos is "a device beta software, beta firmware, or hot-fix release which is still undergoing final testing before its official release."

The table below lists the vulnerable router models and links to the updated firmware version containing the fix.

Model

Hardware Revision

Affected FW

Fixed FW

Recommendation

Last Updated

DIR-3040

All Ax Hardware Revisions

v1.13B03 & Below

v1.13B03 Hotfix

1) Please Download Patch and Update Device

2) Full QA Firmware under test for automatic F/W update notification on D-Link Wifi mobile App

06/09/2021

D-Link has patched other severe vulnerabilities in multiple router models in the past, including remote command injection bugs enabling attackers to take complete control of vulnerable devices.

Previously, the company fixed five critical vulnerabilities impacting some of its routers that made it possible for threat actors to steal admin credentials, bypass authentication, and execute arbitrary code in reflected Cross-Site Scripting (XSS) attacks.

D-Link issues hotfix for hard-coded password router vulnerabilities

Google patches 8th Chrome zero-day exploited in the wild this year

Fri, 16 Jul 2021 23:35:53 +0000

Google patches 8th Chrome zero-day exploited in the wild this year

Google has released Chrome 91.0.4472.164 for Windows, Mac, and Linux to fix seven security vulnerabilities, one of them a high severity zero-day vulnerability exploited in the wild.

"Google is aware of reports that an exploit for CVE-2021-30563 exists in the wild," the company revealed.

The new Chrome release has started rolling out worldwide to the Stable desktop channel and will become available to all users over the following days.

Google Chrome will automatically update itself on the next launch, but you can also manually update it by checking for the newly released version from Settings > Help > 'About Google Chrome.'

Eighth exploited zero-day patched this year

The zero-day patched on Thursday and reported by Google Project Zero's Sergei Glazunov is described as a type confusion bug in V8, Google's open-source C++-based and high-performance WebAssembly and JavaScript engine.

Even though type confusion weaknesses would generally lead to browser crashes following successful exploitation by reading or writing memory out of the bounds of the buffer, they can also be exploited by threat actors to execute arbitrary code on devices running vulnerable software.

While Google said that it is aware of CVE-2021-30563 in the wild exploitation, it did not share info regarding these attacks to allow the security update to deploy on as many systems as possible before more threat actors start actively abusing.

"Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google said.

"We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed."

In all, Google has patched eight Chrome zero-day bugs exploited by attackers in the wild since the start of 2021. Besides CVE-2021-30563, the company previously addressed:

CVE-2021-21148 - February 4th, 2021
CVE-2021-21166 - March 2nd, 2021
CVE-2021-21193 - March 12th, 2021
CVE-2021-21220 - April 13th, 2021
CVE-2021-21224 - April 20th, 2021
CVE-2021-30551 - June 9th, 2021
CVE-2021-30554 - June 17th, 2021

More details on previously patched Chrome zero-days

The Google Threat Analysis Group (TAG) has shared additional details earlier this week regarding in-the-wild exploitation of CVE-2021-21166 and CVE-2021-30551 Chrome zero-days.

"Based on our analysis, we assess that the Chrome and Internet Explorer exploits described here were developed and sold by the same vendor providing surveillance capabilities to customers around the world," Google said.

On Thursday, Microsoft and Citizen Lab linked the vendor mentioned in Google TAG's report to Israeli spyware vendor Candiru

Threat actors deployed the surveillance vendor's spyware to infect iOS, Android, macOS, and Windows devices using Chrome zero-days and Windows unpatched flaws.

Microsoft researchers found that Candiru's malware was used to compromise the systems of "politicians, human rights activists, journalists, academics, embassy workers, and political dissidents."

In all, Microsoft said it discovered "at least 100 victims in Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore."

Google patches 8th Chrome zero-day exploited in the wild this year

Hackers Got Past Windows Hello by Tricking a Webcam

Fri, 16 Jul 2021 23:33:52 +0000

Hackers Got Past Windows Hello by Tricking a Webcam

The security researchers used an infrared photos and third-party hardware to best Microsoft's facial recognition tech.

Biometric authentication is a key piece of the tech industry's plans to make the world passwordless. But a new method for duping Microsoft's Windows Hello facial recognition system shows that a little hardware fiddling can trick the system into unlocking when it shouldn't.

Services like Apple's FaceID have made facial recognition authentication more commonplace in recent years, with Windows Hello driving adoption even farther. Apple only lets you use FaceID with the cameras embedded in recent iPhones and iPads, and it's still not supported on Macs at all. But because Windows hardware is so diverse, Hello facial recognition works with an array of third-party webcams. Where some might see ease of adoption, though, researchers from the security firm CyberArk saw potential vulnerability.

That's because you can't trust any old webcam to offer robust protections for how it collects and transmits data. Windows Hello facial recognition only works with webcams that have an infrared sensor in addition to the regular RGB sensor. But the system, it turns out, doesn't even look at RGB data. Which means that with one straight-on infrared image of a target's face and one black frame, the researchers found that they could unlock the victim's Windows Hello-protected device.

By manipulating a USB webcam to deliver an attacker-chosen image, the researchers could trick Windows Hello into thinking the device owner’s face was present and unlocking.

“We tried to find the weakest point in the facial recognition and what would be the most interesting from the attacker’s perspective, the most approachable option,” says Omer Tsarfati, a researcher at the security firm CyberArk. “We created a full map of the Windows Hello facial recognition flow and saw that the most convenient for an attacker would be to pretend to be the camera, because the whole system is relying on this input.”

Microsoft calls the finding a “Windows Hello Security Feature Bypass Vulnerability” and released patches on Tuesday to address the issue. In addition, the company suggests that users enable "Windows Hello Enhanced Sign-in Security,” which uses Microsoft's “Virtualization-based Security” to encrypt Windows Hello face data and process it in a protected area of memory where it can't be tampered with. The company did not respond to a request for comment from WIRED about the CyberArk findings.

Tsarfati, who will present the findings next month at the Black Hat security conference in Las Vegas, says that the CyberArk team chose to look at Windows Hello's facial recognition authentication in particular because there has already been a lot of research industry-wide into PIN cracking and fingerprint-sensor spoofing. He adds that the team was drawn by the sizable Windows Hello user base. In May 2020 Microsoft said that the service had more than 150 million users. In December, the company added that 84.7 percent of Windows 10 users sign in with Windows Hello.

While it sounds simple—show the system two photos and you're in—these Windows Hello bypasses wouldn't be easy to carry out in practice. The hack requires that attackers have a good quality infrared image of the target's face and physical access to their device. But the concept is significant as Microsoft continues to push Hello adoption with Windows 11. Hardware diversity among Windows devices and the sorry state of IoT security could combine to create other vulnerabilities in how Windows Hello accepts face data.

“A really motivated attacker could do those things,” says Tsarfati. “Microsoft was great to work with and produced mitigations, but the deeper problem itself about trust between the computer and the camera stays there.”

There are different ways to take and process images for facial recognition. Apple's FaceID, for example, only works with the company's proprietary TrueDepth camera arrays, an infrared camera combined with a number of other sensors. But Apple is in a position to control both hardware and software on its devices in a way that Microsoft is not for the Windows ecosystem. The Windows Hello Face setup information simply says “sign-in with your PC's infrared camera or an external infrared camera.”

Marc Rogers, a longtime biometric sensor security researcher and vice president of cybersecurity at the digital identity management company Okta, says that Microsoft should make it very clear to users which third-party webcams are certified as offering robust protections for Windows Hello. Users can still decide whether they want to buy one of these products versus any old infrared webcam, but specific guidelines and recommendations would help people understand the options.

The CyberArk research fits into a broader category of hacks known as “downgrade attacks,” in which a device is tricked into relying on a less secure mode—like a malicious cellphone tower that forces your phone to use 3G mobile data with its weaker defenses instead of 4G. An attack that gets Windows Hello to accept static, pre-recorded face data uses the same premise, and researchers have defeated Windows Hello's facial recognition before getting the system to accept photos using different techniques. Rogers says it's surprising that Microsoft didn't anticipate the possibility of attacks against third-party cameras like the one CyberArk devised.

“Really Microsoft should know better,” he says. “This attack pathway in general is one that we have known for a long time. I’m a bit disappointed that they aren’t more strict about what cameras they will trust.”

Hackers Got Past Windows Hello by Tricking a Webcam

(May require free registration to view)

Israeli Firm Helped Governments Target Journalists, Activists with 0-Days and Spyware

Fri, 16 Jul 2021 15:37:34 +0000

Israeli Firm Helped Governments Target Journalists, Activists with 0-Days and Spyware

Two of the zero-day Windows flaws patched by Microsoft as part of its Patch Tuesday update earlier this week were weaponized by an Israel-based company called Candiru in a series of "precision attacks" to hack more than 100 journalists, academics, activists, and political dissidents globally.

The spyware vendor was also formally identified as the commercial surveillance company that Google's Threat Analysis Group (TAG) revealed as exploiting multiple zero-day vulnerabilities in Chrome browser to target victims located in Armenia, according to a report published by the University of Toronto's Citizen Lab.

"Candiru's apparent widespread presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse," Citizen Lab researchers said. "This case demonstrates, yet again, that in the absence of any international safeguards or strong government export controls, spyware vendors will sell to government clients who will routinely abuse their services."

Founded in 2014, the private-sector offensive actor (PSOA) — codenamed "Sourgum" by Microsoft — is said to be the developer of an espionage toolkit dubbed DevilsTongue that's exclusively sold to governments and is capable of infecting and monitoring a broad range of devices across different platforms, including iPhones, Androids, Macs, PCs, and cloud accounts.

Citizen Lab said it was able to recover a copy of Candiru's Windows spyware after obtaining a hard drive from "a politically active victim in Western Europe," which was then reverse engineered to identify two never-before-seen Windows zero-day exploits for vulnerabilities tracked as CVE-2021-31979 and CVE-2021-33771 that were leveraged to install malware on victim boxes.

The infection chain relied on a mix of browser and Windows exploits, with the former served via single-use URLs sent to targets on messaging applications such as WhatsApp. Microsoft addressed both the privilege escalation flaws, which enable an adversary to escape browser sandboxes and gain kernel code execution, on July 13.

The intrusions culminated in the deployment of DevilsTongue, a modular C/C++-based backdoor equipped with a number of capabilities, including exfiltrating files, exporting messages saved in the encrypted messaging app Signal, and stealing cookies and passwords from Chrome, Internet Explorer, Firefox, Safari, and Opera browsers.

Microsoft's analysis of the digital weapon also found that it could abuse the stolen cookies from logged-in email and social media accounts like Facebook, Twitter, Gmail, Yahoo, Mail.ru, Odnoklassniki, and Vkontakte to collect information, read the victim's messages, retrieve photos, and even send messages on their behalf, thus allowing the threat actor to send malicious links directly from a compromised user's computer.

Separately, the Citizen Lab report also tied the two Google Chrome vulnerabilities disclosed by the search giant on Wednesday — CVE-2021-21166 and CVE-2021-30551 — to the Tel Aviv company, noting overlaps in the websites that were used to distribute the exploits.

Furthermore, 764 domains linked to Candiru's spyware infrastructure were uncovered, with many of the domains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society themed entities. Some of the systems under their control were operated from Saudi Arabia, Israel, U.A.E., Hungary, and Indonesia.

Over 100 victims of SOURGUM's malware have been identified to date, with targets located in Palestine, Israel, Iran, Lebanon, Yemen, Spain (Catalonia), United Kingdom, Turkey, Armenia, and Singapore. "These attacks have largely targeted consumer accounts, indicating Sourgum's customers were pursuing particular individuals," Microsoft's General Manager of Digital Security Unit, Cristin Goodwin, said.

The latest report arrives as TAG researchers Maddie Stone and Clement Lecigne noted a surge in attackers using more zero-day exploits in their cyber offensives, in part fueled by more commercial vendors selling access to zero-days than in the early 2010s.

"Private-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets' computers, phones, network infrastructure, and other devices," Microsoft Threat Intelligence Center (MSTIC) said in a technical rundown.

"With these hacking packages, usually the government agencies choose the targets and run the actual operations themselves. The tools, tactics, and procedures used by these companies only adds to the complexity, scale, and sophistication of attacks," MSTIC added.

Source

Microsoft announce extension of security updates for Windows Server 2008, 2012 and SQL Server 2012

Fri, 16 Jul 2021 04:42:10 +0000

Microsoft announce extension of security updates for Windows Server 2008, 2012 and SQL Server 2012

The internet has become increasingly dangerous, making it very difficult for Microsoft to simply abandon old software which is often running important infrastructure.

At Inspire 2021 Microsoft announced that they will continue to release Extended Security Updates for Windows Server 2008 and 2012, and for SQL Server 2012.

Windows Server 2012 and 2012 R2 was set to exit Extended Support on the 10th October 2023, but Microsoft has confirmed that this will be pushed back 3 years, while SQL Server 2012 will also get another 3 years beyond its earlier July 12, 2022 end of support date.

Extended support of course costs a pretty penny, but Microsoft is prepared to offer it for free if you move your Windows Server to their Azure cloud using Azure Hybrid Benefit, which Microsoft says is the cheapest way to run Windows Server and SQL Server in the cloud.

If you decide to stay on-prem, Microsoft is demanding a price escalator, with year one of support costing three-quarters of your licence costs, year two the price will be at full price, and in year three Extended Security Updates will cost 125 per cent of the license cost.

Read all the detail at Microsoft here.

via The Register

Microsoft announce extension of security updates for Windows Server 2008, 2012 and SQL Server 2012

Microsoft shares guidance on new Windows Print Spooler vulnerability

Fri, 16 Jul 2021 04:39:40 +0000

Microsoft shares guidance on new Windows Print Spooler vulnerability

Microsoft is sharing mitigation guidance on a new Windows Print Spooler vulnerability tracked as CVE-2021-34481 that was disclosed tonight.

Microsoft released an advisory Thursday night for a new CVE-2021-34481 elevation of privilege vulnerability in the Windows Print Spooler that Dragos security researcher Jacob Baines discovered.

Unlike the recently patched PrintNightmare vulnerability, this vulnerability can only be exploited locally to gain elevated privileges on a device.

"The attack is not really related to PrintNightmare. As you know, PN can be executed remotely and this is a local only vulnerability," Baines confirmed to BleepingComputer.

Not much is known at this time about the vulnerability, including what versions of Windows are vulnerable.

However, Baines did share with BleepingComputer that it is printer driver-related.

Baines will be sharing more information about CVE-2021-34481 on August 7th during a DEF CON talk titled "Bring Your Own Print Driver Vulnerability."

Mitigation measures available

While Microsoft has not released security updates to address this flaw, they have provided mitigation measures that admins can use to block attackers from exploiting the vulnerability.

At this time, the available option is to disable the Print Spooler service on a vulnerable device.

Option 1 - Disable the Print Spooler service

If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

It is important to note that if you disable the print spooler on a device, the device will no longer print to a local or remote printer.

Microsoft shares guidance on new Windows Print Spooler vulnerability