Search the Community
Showing results for tags 'exploited'.
mood posted a topic in Security & Privacy NewsRecently Patched Android Vulnerability Exploited in Attacks Google has warned Android users that a recently patched vulnerability has been exploited in attacks. The vulnerability in question, tracked as CVE-2020-11261, was patched by Google with the Android security updates released in January 2021. The vulnerability is a high-severity improper input validation issue affecting a display/graphics component from Qualcomm. The flaw was reported to Qualcomm through Google in July 2020 and it affects a long list of chipsets. In Qualcomm’s advisory, CVE-2020-11261 is described as a “memory corruption due to improper check to return error when user application requests memory allocation of a huge size.” The advisory also reveals that the access vector for the security hole is “local,” which suggests it could be a privilege escalation vulnerability. Google Project Zero researcher Ben Hawkes posted a tweet on Monday to point out that the Android security bulletin for January 2021 has been updated to inform users that the vulnerability has apparently been exploited. “There are indications that CVE-2020-11261 may be under limited, targeted exploitation,” reads a note added to the Android advisory. Google has credited GitHub security researcher Man Yue Mo for reporting the vulnerability. The researcher earned significant bug bounties from Google over the past few years for potentially serious Chrome bugs. Google last week said a sophisticated threat actor had used at least 11 zero-day vulnerabilities as part of a mass spying campaign. The APT group had leveraged watering hole attacks to deliver malware to Windows, Android and iOS devices. It’s unclear if CVE-2020-11261 has been exploited by this group. Source: Recently Patched Android Vulnerability Exploited in Attacks
mood posted a topic in Security & Privacy NewsNespresso smart cards can be exploited for unlimited coffee Let us imagine that your Nespresso smart card had no limit to how much coffee you can buy with it. A little too convenient, isn’t it? Except, a security researcher, Polle Vanhoof explains a vulnerability that actually makes this possible. The problem lies with the Nespresso Pro machines which have been equipped with a smart card reader whose smart cards are still relying on the MIFARE Classic chip. This is not exactly something that a company should overlook considering how security researchers reverse-engineered the chips, being able to clone and manipulate the date of the chip in 2008, and published their findings. Nespresso smart card (Image source: Polle Vanhoof) After this publication, the MIFARE Classic series was deemed unsafe and the company introduced a safer alternative, MIFARE Plus, which relies on more robust encryption (AES-128). By the use of an NFC card reader, the nfc-mfclassic command, and mfoc (a software that cracks the encryption of MIFARE Classic chips), Vanhoof was able to access, view, and make changes to the card binaries. By making a purchase with the card, Vanhoof identified which binaries change since the value of the card was stored on the card itself, and not on a third-party server. When the binaries were compared after purchase, Vanhoof noted that the card used three bytes to represent the total value. “Therefore, the maximum possible amount of money in one of these cards is 167,772.15 euros,” explained the researcher. One would simply have to make use of a hex editor, modify the file and encode it to the card. Indeed, the machine detects that the aforementioned balance is present and allows the user to buy coffee. One coffee would be worth one euro and that equates to 167,772 coffees, which is one coffee a day for 459 years. Image source: Polle Vanhoof Vanhoof, in his post, advised Nespresso to upgrade its smart cards and more importantly, to store monetary value on a remote server rather than on the smart card itself. “After talking to Nespresso, it seems they already offer both of these options,” he said. Source: Nespresso smart cards can be exploited for unlimited coffee
Just one week after a previously patched vulnerability in Exim mail servers was disclosed by Qualys, attackers have begun searching out vulnerable Exim systems prompting the Cybersecurity and Infrastructure Security Agency (CISA) to encourage users to update their systems to the latest version. CISA reported the vulnerability CVE-2019-10149 was detected in exploits in the wild and highly recommends Exim users employ the update. The vulnerability affects versions 4.87 to 4.91 allows a local, or in some cases, a remote attacker to execv as root, with no memory corruption or return-oriented programming involved. While the vulnerability can be exploited instantly a rather odd set of circumstances must be created and sustained. All the affected versions of Exim are vulnerable by default. Version 4.92, issued on February 10, 2019, includes a patch to fix the issue, with Tenable estimating 4.1 million servers remain vulnerable. “Security researchers have observed active exploitation in the wild, one of which includes an attack resulting in permanent root access to vulnerable systems via SSH. It is critically important for those running Exim to upgrade to version 4.92 or apply the backported fix to vulnerable versions in order to prevent these newly discovered attacks from succeeding,” said Satnam Narang, senior research engineer with Tenable. One reason so many Exim users may have not updated was awareness. The patch for CVE-2019-10149 was included in version 4.92, but was not labeled as a security issue as Exim does not issue separate security updates. Source
steven36 posted a topic in Security & Privacy NewsCybersecurity researchers have disclosed details about a new watering hole attack targeting the Korean diaspora that exploits vulnerabilities in web browsers such as Google Chrome and Internet Explorer to deploy malware for espionage purposes. Dubbed "Operation Earth Kitsune" by Trend Micro, the campaign involves the use of SLUB (for SLack and githUB) malware and two new backdoors — dneSpy and agfSpy — to exfiltrate system information and gain additional control of the compromised machine. The attacks were observed during the months of March, May, and September, according to the cybersecurity firm. Watering hole attacks allow a bad actor to compromise a targeted business by compromising a carefully selected website by inserting an exploit with an intention to gain access to the victim's device and infect it with malware. Operation Earth Kitsune is said to have deployed the spyware samples on websites associated with North Korea, although access to these websites is blocked for users originating from South Korean IP addresses. A Diversified Campaign Although previous operations involving SLUB used the GitHub repository platform to download malicious code snippets onto the Windows system and post the results of the execution to an attacker-controlled private Slack channel, the latest iteration of the malware has targeted Mattermost, a Slack-like open-source collaborative messaging system. "The campaign is very diversified, deploying numerous samples to the victim machines and using multiple command-and-control (C&C) servers during this operation," Trend Micro said. "In total, we found the campaign using five C&C servers, seven samples, and exploits for four N-day bugs." Designed to skip systems that have security software installed on them as a means to thwart detection, the attack weaponizes an already patched Chrome vulnerability (CVE-2019-5782) that allows an attacker to execute arbitrary code inside a sandbox via a specially-crafted HTML page. Separately, a vulnerability in Internet Explorer (CVE-2020-0674) was also used to deliver malware via the compromised websites. dneSpy and agfSpy — Fully Functional Espionage Backdoors The difference in the infection vector notwithstanding, the exploit chain proceeds through the same sequence of steps — initiate a connection with the C&C server, receive the dropper, which then checks for the presence of anti-malware solutions on the target system before proceeding to download the three backdoor samples (in ".jpg" format) and executing them. What's changed this time around is the use of Mattermost server to keep track of the deployment across multiple infected machines, in addition to creating an individual channel for each machine to retrieve the collected information from the infected host. Of the other two backdoors, dneSpy, and agfSpy, the former is engineered to amass system information, capture screenshots, and download and execute malicious commands received from the C&C server, the results of which are zipped, encrypted, and exfiltrated to the server. "One interesting aspect of dneSpy's design is its C&C pivoting behavior," Trend Micro researchers said. "The central C&C server's response is actually the next-stage C&C server's domain/IP, which dneSpy has to communicate with to receive further instructions." agfSpy, dneSpy's counterpart, comes with its own C&C server mechanism that it uses to fetch shell commands and send the execution results back. Chief among its features include the capability to enumerate directories and list, upload, download, and execute files. "Operation Earth Kitsune turned out to be complex and prolific, thanks to the variety of components it uses and the interactions between them," the researchers concluded. "The campaign's use of new samples to avoid detection by security products is also quite notable." "From the Chrome exploit shellcode to the agfSpy, elements in the operation are custom coded, indicating that there is a group behind this operation. This group seems to be highly active this year, and we predict that they will continue going in this direction for some time." Source