Jump to content

Search the Community

Showing results for tags 'attack'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Categories

  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions

Categories

  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 8 results

  1. Microsoft said today that hackers compromised a font package installed by a PDF editor app and used it to deploy a cryptocurrency miner on users' computers. The OS maker discovered the incident after its staff received alerts via the Windows Defender ATP, the commercial version of the Windows Defender antivirus. Microsoft employees say they investigated the alerts and determined that hackers breached the cloud server infrastructure of a software company providing font packages as MSI files. These MSI files were offered to other software companies. One of these downstream companies was using these font packages for its PDF editor app, which would download the MSI files from the original company's cloud servers during the editor's installation routine. Hackers created a copy of the company's cloud servers "Attackers recreated the [first company's] infrastructure on a replica server that the attackers owned and controlled. They copied and hosted all MSI files, including font packages, all clean and digitally signed, in the replica server," Microsoft's security researchers said. "The attackers decompiled and modified one MSI file, an Asian fonts pack, to add the malicious payload with the coin mining code," they added. "Using an unspecified weakness (which does not appear to be MITM or DNS hijack), the attackers were able to influence the download parameters used by the [PDF editor] app. The parameters included a new download link that pointed to the attacker server," Microsoft said. Users who downloaded and ran the PDF editor app would unknowingly install the font packages, including the malicious one, from the hackers' cloned server. Supply chain attack within a supply chain Because the PDF editor app was installed under SYSTEM privileges, the malicious coinminer code hidden inside would receive full access to a user's system. The malicious miner would create its own process named xbox-service.exe under which it would mine for cryptocurrencies using victims' computers. Microsoft said Windows Defender ATP detected mining-specific behavior from this process. Investigators then tracked down the origin of this process to the PDF editor app installer and the MSI font packages. Security researchers said it was easy to identify which MSI font package was the malicious one because all other MSI files were signed by the original software company, except one file, which lost its authenticity when crooks injected the coinminer code inside it. This malicious miner also stood out to investigators because it also tried to modify the Windows hosts file in a poor attempt at sinkholing update operations for various security apps. Tinkering with the Windows hosts file is a big no-no, and most antivirus software will mark this operation as suspicious or malicious. Microsoft did not reveal the names of the two software companies involved in this incident. The OS maker says the compromise lasted between January and March 2018, and affected only a small number of users, suggesting the hacked companies aren't big names on the PDF software market. Source
  2. The Intel Support Assistant is the latest Windows utility to be found that could expose millions of computers to privilege-escalation attacks through file manipulation and symbolic links. Intel issued a patch on Nov. 10, fixing a vulnerability in the way the Intel Support Assistant interacts with files that could impact millions of Windows systems and could lead to privilege-escalation attacks. The vulnerability is the latest issue disclosed by access-security firm CyberArk during an 18-month effort to seek out specific types of patterns that could lead to vulnerabilities, analyzing widespread management utilities for flaws that would allow malware or a local attacker to gain system privileges on a victim's computer. In this case, the Intel Support Assistant interacts insecurely with nonprivileged data and directories, giving attackers the ability to execute code as the privileged program by modifying a nonprivileged file. The attack only requires a malicious program or user to copy malicious code to a directory used by the utility, according to Eran Shimony, a security researcher with CyberArk. The issues, which allow an attacker to manipulate files, result in raising the permissions of any malware program, giving it the ability to "do a bunch of things that you couldn't do as a mere user," the researcher says. "To trigger the ability is pretty simple: You abuse some of the features of the Intel Support Assistant, and through that, you can escalate into a system account," he says. "And, if you have local admin, then it is pretty much game over." The vulnerabilities underscore the impact that simple errors — such as failing to protect the directories used by system utilities with high-level permissions or running those utilities with reduced access rights — can have on system security. Shimony's research effort, conducted over 18 months, aimed to provide "a complementary approach to fuzzing" to find new vulnerabilities. By June 2020, the CyberArk research group had discovered more than 60 distinct vulnerabilities. The research has resulted in a series of security notices from CyberArk and advisories from affected firms about privilege-escalation vulnerabilities in a passel of system utilities — from Microsoft's Windows Defender to Dell's Update Package. Shimony disclosed a vulnerability in Windows Defenders in October 2019, for example, that abused symbolic links, or symlinks — files that link to other files — to allow any file to be deleted on any Windows system without the fix. A few weeks later, the researcher released details of a class of vulnerability caused by the vendors' failure to protect the directories used by their software installers. An attacker could replace an installed file with malicious code of the same name and then wait for the administrator to run the installer to run the code. Dell's Update Package, for example, would run whenever there was an update. The researcher notified Intel of the latest vulnerability more than a year ago. The company needed time to inform all of its partners and work together on a fix, Shimony says. The notification of the Intel Support Assistant vulnerability (CVE-2020-22460) came on Tuesday. While the vendors have released patches for the vulnerabilities, Shimony urges developers to be aware of this particular class of flaws and has two recommendations for programmers. First, developers should always protect the directories and files used by privileged programs from modification — whether creation, deletion, or manipulation — by regular users. Second, coders should always execute specific operations at the least privilege needed to manipulate local files, by adopting the appropriate role. "Often, the privileged program can do the same things in the context of the administrator or the system, or it can do the same things in the context of the regular user," he says. "If the developer can, they should impersonate the local user whenever at all possible. If they do that, we cannot do any file manipulation attack, because we would not have the necessary permissions to do them." The researcher also disclosed a second vulnerability in Intel's Support Assistant that is more complex to exploit and which allows an attacker to delete an arbitrary file. This is not the first time that the Intel Support Assistant has been a vehicle for privilege escalation. In early September, the company also issued a notice that a similar scenario — a user exploiting file permissions — can lead to escalation of privilege. Source
  3. A surfer who refers to himself as "shark bait" has been hospitalized after a shark attack during an early morning surf on the NSW mid-north coast. The man received five deep lacerations to one of his lower legs when he was bitten by a shark at Nambucca Heads after 7am on Sunday, a NSW Ambulance spokesman said. Joel Mason, 36, managed to swim to a nearby break wall, where a passer-by saw him and contacted emergency services. He was treated at the scene before being flown to John Hunter Hospital in Newcastle, where he's in a stable condition. Mr Mason's father, Rob, told Nine News his son has loved surfing since he was young and it was "very disturbing" when he found out about the incident. "He's surfed since he was 5 or 6 years old," Mr Mason said. "He loves to surf early and he loves to surf by himself which is sort of a bit risky. "He says he's shark bait but he's prepared to take the risk and he does." NSW Ambulance spokesman Steve Fraser said Mr Mason remained "extremely calm, extremely stoic" throughout the ordeal. Source
  4. Unauthorised users able to perform 'arbitrary code execution' A critical vulnerability found in Citrix Application Delivery Controller and Citrix Gateway (formerly known as Netscaler ADC and Netscaler Gateway) means businesses with apps published using these technologies may be exposing their internal network to unauthorised access. Citrix (NetScaler) ADC is a load balancer and monitoring tech, while Unified Gateway provides remote access to internal applications. This can include desktop applications as well as intranet or web applications. "Any application on any device from any location" is the marketing pitch. On 17 December, Citrix published an advisory stating that a vulnerability in these services "could allow an unauthenticated attacker to perform arbitrary code execution." According to Positive Technologies, the security company which discovered the flaw, no account details are required. Positive says the "first vulnerable version of the software was released in 2014", and estimates that "at least 80,000 companies in 158 countries are potentially at risk." Since the whole idea of this technology is to enable remote access to internal applications, arbitrary code execution could give the attacker access to the internal network, making it a particularly critical flaw. Citrix has published mitigation steps which block certain SSL VPN requests, suggesting that this area is where the flaw lies. This is a mitigation rather than a complete fix. An SSL VPN is a secure tunnel into a remote network which uses the SSL protocol. The affected versions of Citrix ADC and Unified Gateway include 10.5, 11.1, 12.0, 12.1 and 13.0. The problem has been assigned the ID CVE-2019-19781 and details will be available at this link when published. Citrix said it is "notifying customers and channel partners about this potential security issue." Administrators are advised to apply the mitigation immediately. A full software fix will be made available in due course. Source
  5. Microsoft said it got a court order to seize 50 websites used by a hacker group with ties to North Korea that targeted government employees, universities, human rights organizations and nuclear proliferation groups in the U.S., Japan and South Korea. The group, known as Thallium, uses the network of websites, domains and connected computers to send out “spear phising” emails. Hackers gather as much information on targets as they can to personalize messages and make them appear legitimate. When the target clicks on a link in the email, hackers are then able to “compromise their online accounts, infect their computers, compromise the security of their networks and steal sensitive information,” Microsoft wrote in a blog post. Microsoft showed an example of one of Thallium’s spear phishing messages. It looks very much like a standard notification that comes with signing into a Microsoft account in a new location. One big difference, Microsoft says, is the group combined the letters “r” and “n” in the domain name to look like the first letter “m” in “microsoft.com.” Microsoft, through its Digital Crimes Unit and Threat Intelligence Center, has positioned itself as an important line of defense against so-called “nation state” hacking organizations. Microsoft has in recent years taken on hacking groups with ties to China, Iran and Russia. The tech giant uses the information it gathers from tracking these hackers to beef up its security products. Microsoft recommended a number of actions organizations can take to better protect themselves, including enabling two-factor authentication on business and personal email accounts, training people to spot phising attempts and enabling security alerts about links and files from suspicious websites. Source: MSN
  6. Why block them when you can fool them? New tool sets traps for hackers The method, called DEEP-Dig (DEcEPtion DIGging), ushers intruders into a decoy site so the computer can learn from hackers’ tactics. Instead of blocking hackers, the researchers have created a new cybersecurity defence approach, which involves setting traps for hackers. The method, called DEEP-Dig (DEcEPtion DIGging), ushers intruders into a decoy site so the computer can learn from hackers’ tactics. The information is then used to train the computer to recognise and stop future attacks.(Pixabay) Instead of blocking hackers, the researchers have created a new cybersecurity defence approach, which involves setting traps for hackers. The method, called DEEP-Dig (DEcEPtion DIGging), ushers intruders into a decoy site so the computer can learn from hackers’ tactics. The information is then used to train the computer to recognise and stop future attacks. DEEP-Dig advances a rapidly growing cybersecurity field known as deception technology, which involves setting traps for hackers. “There are criminals trying to attack our networks all the time, and normally we view that as a negative thing, instead of blocking them, maybe what we could be doing is viewing these attackers as a source of free labour,” said study researcher Kevin Hamlen from University of Texas in Dallas, US. “They’re providing us data about what malicious attacks look like. It’s a free source of highly prised data,” Hamlen added. The approach aims to solve a major challenge to using artificial intelligence (AI) for cybersecurity: a shortage of data needed to train computers to detect intruders. The lack of data is due to privacy concerns. Better data will mean better ability to detect attacks, the researchers said. “We’re using the data from hackers to train the machine to identify an attack, we’re using deception to get better data,” said study researcher Gbadebo Ayoade. Hackers typically begin with their simplest tricks and then use increasingly sophisticated tactics, the researchers said. But most cyberdefense programmes try to disrupt intruders before anyone can monitor the intruders’ techniques. DEEP-Dig will give researchers a window into hackers’ methods as they enter a decoy site stocked with disinformation The decoy site looks legitimate to intruders and attackers will feel they’re successful, said study researcher Latifur Khan. As hackers’ tactics change, DEEP-Dig could help cybersecurity defence systems keep up with their new tricks. According to the researchers, while DEEP-Dig aims to outsmart hackers, it might be possible that hackers could have the last laugh if they realise they have entered a decoy site and try to deceive the programme. “So far, we’ve found this doesn’t work. When an attacker tries to play along, the defence system just learns how hackers try to hide their tracks, it’s an all-win situation -- for us, that is,” Hamlen said. The study was presented at the annual Computer Security Applications Conference in December in Puerto Rico. Source
  7. Attackers gained access to some AdGuard accounts but company can't tell how many. AdGuard, a popular ad blocker for Android, iOS, Windows, and Mac, has reset all user passwords, the company's CTO Andrey Meshkov announced today. The company took this decision after suffering a brute-force attack during which an unknown attacker tried to log into user accounts by guessing their passwords. Meshkov said the attacker used emails and passwords that were previously leaked into the public domain after breaches at other companies. This type of attack --using leaked usernames and passwords to hack into accounts at other services-- is known as credential stuffing. The AdGuard CTO said attackers were successful in their assault and gained access to some AdGuard accounts, used for storing ad blocker settings. "We don't know what accounts exactly were accessed by the attackers," Meshkov said. "All passwords stored in AdGuard database are encrypted so we cannot check whether any of them is present in the known leaked database. That's why we decided to reset passwords of all users." The company says it implemented the Have I Been Pwned API into their existing infrastructure so that when users will configure a new password, the AdGuard system will warn them if they're using passwords leaked at other services. Meshkov said AdGuard now also uses stricter rules for choosing passwords, and they also intend to support two-factor authentication in the future. The AdGuard exec also revealed that the company found out about the attack after its rate-limiting systems detected the numerous failed login attempts during the password guessing phase of the attack. Most of the attacks were stopped, but some were successful, which usually tends to happen when attackers get lucky and guess the proper combination during the first login attempts. It is unclear what the attackers were attempting to do with such low-value accounts. Source
  8. If you want to secure the data on your computer, one of the most important steps you can take is encrypting its hard drive. That way, if your laptop gets lost or stolen—or someone can get to it when you're not around—everything remains protected and inaccessible. But researchers at the security firm F-Secure have uncovered an attack that uses a decade-old technique, which defenders thought they had stymied, to expose those encryption keys, allowing a hacker to decrypt your data. Worst of all, it works on almost any computer. To get the keys, the attack uses a well-known approach called a "cold boot," in which a hacker shuts down a computer improperly—say, by pulling the plug on it—restarts it, and then uses a tool like malicious code on a USB drive to quickly grab data that was stored in the computer's memory before the power outage. Operating systems and chipmakers added mitigations against cold boot attacks 10 years ago, but the F-Secure researchers found a way to bring them back from the dead. In Recent Memory Cold boot mitigations in modern computers make the attack a bit more involved than it was 10 years ago, but a reliable way to decrypt lost or stolen computers would be extremely valuable for a motivated attacker—or one with a lot of curiosity and free time. "If you get a few moments alone with the machine, the attack is a very reliable way to extract secrets from the memory," says Olle Segerdahl, principal security consultant at F-Secure. "We tested it on a number of different makes and models and found that the attack is effective and reliable. It's a bit invasive because it involves unscrewing the case and connecting some wires, but it's pretty quick and very doable for a knowledgable hacker. It's not super technically challenging." Segerdahl notes that the findings have particular implications for corporations and other institutions that manage a large number of computers, and could have their whole network compromised off of one lost or stolen laptop. To carry out the attack, the F-Secure researchers first sought a way to defeat the the industry-standard cold boot mitigation. The protection works by creating a simple check between an operating system and a computer's firmware, the fundamental code that coordinates hardware and software for things like initiating booting. The operating system sets a sort of flag or marker indicating that it has secret data stored in its memory, and when the computer boots up, its firmware checks for the flag. If the computer shuts down normally, the operating system wipes the data and the flag with it. But if the firmware detects the flag during the boot process, it takes over the responsibility of wiping the memory before anything else can happen. Looking at this arrangement, the researchers realized a problem. If they physically opened a computer and directly connected to the chip that runs the firmware and the flag, they could interact with it and clear the flag. This would make the computer think it shut down correctly and that the operating system wiped the memory, because the flag was gone, when actually potentially sensitive data was still there. So the researchers designed a relatively simple microcontroller and program that can connect to the chip the firmware is on and manipulate the flag. From there, an attacker could move ahead with a standard cold boot attack. Though any number of things could be stored in memory when a computer is idle, Segerdahl notes that an attacker can be sure the device's decryption keys will be among them if she is staring down a computer's login screen, which is waiting to check any inputs against the correct ones. Cold Case Because of the threat posed by this type of attack, Segerdahl says that institutions should keep careful track of all their devices so they can take action if one is reported lost or stolen. No matter how big an organization is, IT managers need to be able to revoke VPN credentials, Wi-Fi certificates, and other authenticators that let devices access the full network to minimize the fallout if a missing device is compromised. Another potential protection involves setting computers to automatically shut down when idle rather than going to sleep and then using a disk encryption tool—like Microsoft's BitLocker—to require an extra PIN when a computer turns on, before the operating system actually boots. This way there's nothing in memory yet to steal. If you're worried about leaving your computer unsupervised, tools that monitor for physical interactions with a device—like the Haven mobile app and Do Not Disturb Mac application—can help notify you about unwanted physical access to a device. Intrusions like the cold boot technique are often called "evil maid" attacks. The researchers notified Microsoft, Apple, and Intel about their findings. Microsoft has released updated guidance on using BitLocker to manage the problem. “This technique requires physical access. To protect sensitive info, at a minimum, we recommend using a device with a discreet Trusted Platform Module (TPM), disabling sleep/hibernation and configuring bitlocker with a Personal Identification Number,” Jeff Jones, a senior director at Microsoft said. Segerdahl says, though, that he doesn't see a quick way to fix the larger issue. Operating system tweaks and firmware updates could make the flag-check process more resilient, but since attackers are already accessing and manipulating the firmware as part of the attack, they could simply downgrade updated firmware back to a vulnerable version. As a result, Segerdahl says, long term mitigations require physical design changes that make it harder for an attacker to manipulate the flag check. Apple has already created one such solution through its T2 chip in new iMacs. The scheme separates certain crucial processes on a dedicated, secure chip away from the main processors that run general firmware and the operating system. Segerdahl says that though the renewed cold boot attack works on most Macs, the T2 chip does successfully defeat it. An Apple spokesperson also suggested that users could set a firmware password to prevent unauthorized access, and that the company is exploring how to protect Macs that don't have a T2. Intel declined to comment on the record. "This is only fixable through hardware updates," says Kenn White, director of the Open Crypto Audit Project, who did not participate in the research. "Physical access is a constant cat and mouse game. The good news for most people is that 99.9 percent of thieves would just sell a device to someone who would reinstall the OS and delete your data." For institutions with valuable data or individuals carrying sensitive information, though, the risk will continue to exist on most computers for years to come. Source
×
×
  • Create New...